Security

Hey, you. App dev. You like secure software? Let's learn from Tinder, Facebook's blunders

API holes would let miscreants spy on sexting lovers


App developers should take a long, hard look at how they use Facebook's Account Kit for identifying users – after a flaw in the system, and Tinder's use of the toolkit, left shag-seekers open to account hijacking.

When a horny netizen logs into their Tinder profile using their phone number as a username, the hookup app relies on the Facebook-built AccountKit.com to check the person is legit owner of that account.

Facebook's system texts a confirmation code to the punter, they receive it on their phone, and type the code into Account Kit's website. Account Kit verifies the code is correct, and if it is, issues Tinder an authorization token, allowing the login attempt to complete.

It's a simple, easy, and supposedly secure password-less system: your Tinder account is linked to your phone number, and as long as you can receive texts to that number, you can log into your Tinder account.

However, Appsecure founder Anand Prakash discovered Account Kit didn't check whether the confirmation code was correct when the toolkit's software interface – its API – was used in a particular way. Supplying a phone number as a "new_phone_number" parameter in an API call over HTTP skipped the verification code check, and the kit returned a valid "aks" authorization token.

Thus, you could supply anyone's phone number to Account Kit, and it would return a legit "aks" access token as a cookie in the API's HTTP response. That's not great.

Prepare for trouble, and make it double

Now to Tinder. The app's developers forgot to check the client ID number in the login token from Account Kit, meaning it would accept the aforementioned "aks" cookie as a legit token. Thus it was possible to create an authorization token belonging to a stranger from Account Kit, and then send it to Tinder's app to log in as that person.

All you'd need is a victim's phone number, and bam, you're in their Tinder profile, reading their saucy messages between hookups or discovering how much of an unloved sad sack they were, and setting up dates.

"He will be logged in to the victim’s Tinder account," explained Prakash earlier this week, apparently assuming only guys would be interested in this kind of caper. Pssh, as if.

"The attacker basically has full control over the victim’s account now — he can read private chats, full personal information, swipe other user profiles left or right, etc."

Prakash reported the flaws to Facebook and Tinder, and went public with his findings after the bugs were ironed out out of the backend systems and app. Facebook paid out $5,000 in bug bounties, with Tinder kicking in an extra $1,250.

Thankfully, it doesn't appear the holes were exploited in the wild. Hopefully this episode will encourage some programmers double check they're not making the same blunders in their source code. ®

Send us news
7 Comments

Meta kills Facebook News in the US and Australia

So much for the 'commitment to support news organizations' made in just 2020

Trump, who tried kicking TikTok out of the US, says boo to latest ban effort

Florida man would rather have app stay so as not to give gift to 'true enemy of the people' ... Zuckerberg

We're not Meta support: State AGs tell Zuck to fix rampant account takeover problem

'We refuse to operate as customer service representatives'

World-plus-dog booted out of Facebook, Instagram, Threads

Millions of Meta addicts suddenly cried out in terror and were silenced

How do you lot feel about Pay or say OK to ads model, asks ICO

And does it count as consent?

Untangling Meta's plan for its homegrown AI chips, set to actually roll out this year

So that's where all the laid-off semiconductor engineers went!

Cory Doctorow has a plan to wipe away the enshittification of tech

It's not just you – things really are getting worse

Study: Thousands of businesses just love handing over your info to Facebook

Mmm, Zuck up that data

Zuckerberg hunkers down in Hawaii to wait out apocalypse

$270M secret building project includes 5,000 sq ft bunker

Meta killing off Instagram, Messenger cross-platform chatting

How could you, Mark? Oh, right - gotta avoid those pesky EU gatekeeper rules

Meta starts rolling out end-to-end encryption in Facebook Messenger

Surfing the cryptographic wave

Europe bans Meta from using personal data to target ads

EU folks have no chill, not that we're complaining