How I compromised Tinder profile using Facebook’s profile gear and won $6,250 in bounties

How I compromised Tinder profile using Facebook’s profile gear and won $6,250 in bounties

However this is becoming published utilizing the license of Twitter within the liable disclosure approach.

The vulnerabilities mentioned in this article are connected swiftly with the design groups of Twitter and Tinder.

This article talks about a merchant account takeover weakness i ran across in Tinder’s product. By exploiting this, an attacker might have gathered the means to access the victim’s Tinder levels, which needs made use of their particular phone number to log in.

This may have already been used through a weakness in Facebook’s levels package, which facebook or twitter has recently answered.

Both Tinder’s cyberspace and cellular apps allow users to utilize their particular cellular phone data to log into needed. Which connect to the internet service is actually furnished by levels set (Twitter).

Go Solution Provided With Facebook’s Accountkit on Tinder

The person clicks on go browsing with number on following they might be rerouted to for go online. When verification works after that profile package passes by the accessibility token to Tinder for go online.

Curiously, the Tinder API wasn’t checking out the customer ID regarding token furnished by profile gear.

This allowed the attacker to utilize other app’s availability token supplied by accounts set to consider along the real Tinder accounts of various other users.

Weakness Outline

Levels package are something of Facebook that helps people fast use and get on some authorized software through the help of merely their unique names and phone numbers or email address without needing a code. Truly trustworthy, user friendly, and gives the person options on how they want to sign up for apps.

Tinder is a location-based cellular software for searching and encounter other people. You are able to individuals to like or object to more consumers, thereafter proceed to a chat if each party swiped ideal.

There’s a vulnerability in membership set through which an assailant might have attained having access to any user’s Account equipment account just by making use of their phone number. After in, the opponent could have become ahold with the user’s Account Kit accessibility token within their particular snacks (aks).

From then on, the attacker could use the gain access to token (aks) to sign in the user’s Tinder profile using a susceptible API.

Exactly how my exploit labored step by step

Action # 1

For starters the assailant would sign in victim’s levels equipment levels by going into the victim’s phone number in “new_phone_number” inside API ask demonstrated below.

Please be aware that accounts equipment wasn’t validating the mapping for the phone numbers employing one-time code. The attacker could enter in anyone’s contact number then only sign in the victim’s levels system profile.

Then the attacker could copy the victim’s “aks” access token of Account Kit app from cookies.

The insecure Account Kit API:

Move no. 2

Now the opponent merely replays the subsequent demand making use of the copied gain access to token “aks” of sufferer into Tinder API below.

They are going to logged to the victim’s Tinder accounts. The opponent would after that generally have full control of the victim’s membership. They can look over private chats, whole information that is personal, and swipe different user’s users remaining or ideal, among other things.

Susceptible Tinder API:

Training video Proof Principle


Both the vulnerabilities had been repaired by Tinder and zynga quickly. Zynga rewarded myself around $5,000, and Tinder grant myself with $1,250.

I’m the creator of AppSecure, a skilled cyber security business with many years of experience acquired and meticulous competence. We are now right here to protect your organization and essential information from on the web brick and mortar threats or weaknesses.

When this document ended up being practical, tweet they.

Learn to signal at no cost. freeCodeCamp’s available starting point program has actually aided about 40,000 anyone get projects as builders. Get going

freeCodeCamp was a donor-supported tax-exempt 501(c)(3) nonprofit organization (United States national taxation detection amounts: 82-0779546)

Our personal quest: to help individuals learn to signal free-of-charge. Most people attempt by creating countless videos, articles, and active code sessions – all freely available around the open. Most people also provide 1000s of freeCodeCamp study communities across the world.

Contributions to freeCodeCamp go toward the degree initiatives that really help pay for machines, solutions, and staff members.