Tinder accounts were nearly swiped right into the hands of hackers after researchers found they were able to login to user accounts using just a phone number. Supplying a phone number as a "new_phone_number" parameter in an API call over HTTP skipped the verification code check, and the kit returned a valid "aks" authorization token. When a member of Tinder clicks on login, the user is redirected to Account Kit and if the authentication is successful, a user gets the access token to Tinder account. Conveniently enough, Account Kit also had a bug in which an attacker could have gained access to any user's Account Kit simply by using their phone number.
"The attacker basically has full control over the victim's account now - he can read private chats, full personal information, swipe other user profiles left or right, etc".
Appsecure has already received awards of $5,000 and $1,250 by Facebook and Twitter through the companies' bug bounty programs for reporting such security flaws. He uploaded a short YouTube video showing the hack in action. As has been clarified, the mentioned vulnerabilities were plugged quickly by the engineering teams of Facebook and Tinder. To reward for Appsecure's efforts, both companies gave $5000 and $1250, respectively, for its findings and report. "Security is a top priority at Tinder". The firm claimed that nefarious attackers could "monitor the user's every move" on the application.
Luckily, no accounts seem to have been broken into before the vulnerability was patched.
Tinder, first launched in 2012, now boasts an estimated 50m users worldwide, with roughly 40 percent based in North America.