Your Tinder Chats for All to See?

Tinder Exposed

If you’ve ever registered for an app by choosing to do it through Facebook, you’ve probably come into contact with the social media giant’s Account Kit, a Facebook product that lets users quickly register and log into apps using either an email address or a phone number—no password needed.

Well, turns out there was a vulnerability in Account Kit that made it possible for an attacker (or in this case an ethical bug bounty hunter) to gain access to a person’s Tinder account—including profile information, photos, direct messages, etc—and the exploit only required one piece of very easy to get personally identifiable information: a phone number.

The exploit was detailed by bug hunter Anand Prakash on Medium, including step-by-step directions that showed how an attacker with only a phone number could compromise access tokens by sifting through a user’s cookies.

Prakash was careful to point out that the vulnerability had been fixed.

Read more here.