Tinder clone TanTan lets wire spies locate lovers
Fixes promised for man-in-the-middle diddle
Popular Chinese Tinder clone TanTan is sending user details in cleartext and sports an API that allows users locations' to be triangulated.
Developer Larry Salibra reported the flaws to TanTan, which has pledged to use encryption in future.
The security slip means users' partner preferences, locations, and personal information are exposed to any man-in-the-middle attackers - for example, snoopers watching traffic on airport or cafe wireless networks.
"Much to my surprise, the information sent between my phone and Tantan’s server somewhere on the other side of the Great Firewall deep in Mainland China was completely readable," Salibra says.
"I could see the password I had just entered, my phone number and all the people I was being matched with.
"And if I could read it, that means any number of other people could as well."
He says the app sends location data several times a minute, including latitude and longitude that can be easily plugged into Google Maps.
In the most serious examples, would be lovers who match against an attacker can also be located using user identification numbers.
Salibra also worked out TanTan developers had left censorship data in the app allowing him to see the phrases users are banned from sending.
The developer disclosed the flaws in March and only heard back after he published the details.
His disclosure email ended up in an unmonitored or spam inbox since the company like many others did not have a dedicated security address. ®