A hookup app like Tinder already feels a bit seedy, based as it is on superficial, semi-anonymous snap judgements. So the one real safety net—no user can contact another without both parties expressing an interest—is a critical piece of the privacy puzzle.
Only what if that mechanism were less secure than we thought? Web developer Shaked Klein Orbach wanted to try Tinder but was skeptical of how it would handle his data, particularly as it had accidentally revealed users’ physical locations and Facebook details earlier this year. Using something called a man-in-the-middle proxy, Orbach discovered that the app stores Facebook ID numbers, which to a certain degree makes sense.
It’s what you can do with the Facebook ID, and Tinder’s flawed application programming interface (API), that’s more startling: cheat the system itself. When a match is made, a PUT request, authorization headers, and certain parameters are generated. By plugging the appropriate Facebook ID codes into those parameters, you can fake a match between any two users and automatically open a channel of communication between them with Tinder’s default match alert—4 million of which are issued daily—even if each has rejected the other.
It may not be Love Potion No. 9, but that sort of glitch could certainly leave a customer open to forms of stalking and harassment that Tinder theoretically guards against. Quartz reported on Orbach’s investigation and eventually obtained a statement from Tinder CEO Sean Rad, who said, basically, “we got this.”
We want to thank Mr. Orbach for pointing out a way to create a match with another user through manipulating certain API calls. This issue is now resolved and to our knowledge no one was affected outside of Mr. Orbach’s test. We are committed to taking all necessary steps to ensure the privacy of our users and we appreciate the help and support of great engineers like Mr. Orbach.
It’s lucky for Orbach, anyway, that Tinder saw the merit in his work. Most companies would treat a hacker who demonstrated system vulnerabilities as a dire threat in their own right. (We’re looking at you, Apple.)