Are You on Tinder?
Someone May Be Watching You Swipe
INTRODUCTION
Launched in 2012, Tinder is one of the first “swiping apps” allowing users to swipe
through profiles to ultimately make social connections; swiping right for a profile
they like, swiping left to move on to the next profile indicating lack of interest or
“super liking” with an upward swipe.
Although Tinder’s mission* is "empowering users around the world to create new
connections that otherwise might never have been possible”, the application is
most commonly used as a dating platform. According to its website, Tinder has
matched over 20 billion people to date, and is used in 196 countries.
Due to its nature, Tinder users regularly upload personal information alongside
photos of themselves, with the assumption that this application is secure and
protective of their data. However, Checkmark’s Security Research Team recently
conducted elaborate research which exposed worrisome security vulnerabilities in
this highly popular application.
The team went through the responsible disclosure process, sending a full report to
the Tinder security team and notifying them of our intention to publish our
findings. The following paper presents the research and its findings on both the
Tinder’s Android and iOS versions.

* https://www.gotinder.com/press?locale=en 
1
checkmarx.com     1 (800) 257-5746 

 ARE YOU ON TINDER? SOMEONE MAY BE WATCHING YOU SWIPE
RESEARCH FINDINGS
Our research found two vulnerabilities that, once combined, enable a malicious attacker
to spy on a Tinder user’s every move in the app. This means the attacker can see the
user’s profile, the profiles the user views and the actions he or she takes (for example,
swiping left / right and “super liking”). The attacker can follow the user’s Tinder matches
and seriously compromise the user’s privacy.
In order to carry out the attack, the attacker needs to be on the same WiFi network as
the user. This is possible via any public hotspot. Other scenarios where an attacker can
intercept traffic include VPN or company administrators, DNS poisoning attacks or a
malicious internet service provider - to name a few.

Discovered Vulnerabilities:

CVSS: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 
CVE 6017: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6017 
CVE 6018: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6018

In order to demonstrate an attack, we produced a fully functional app, “TinderDrift” any attacker could have developed this app as well. To see a full demonstration of how
this app was used to follow Tinder users’ actions on Tinder, see this video:
https://youtu.be/ZBTL1bmJ9o8 

USE CASES AND ATTACK SCENARIOS:
The following are a few examples of how the vulnerabilities mentioned above can be
used to perform a malicious attack.

A) Insecure HTTP Connections
Both iOS and Android versions of Tinder make insecure HTTP requests when
downloading user profile pictures. The behavior is slightly different between iOS and
Android but the result is similar: Attackers can easily discover what device is viewing
which profiles. Furthermore, if the user stays online long enough, or if the app initializes
while on the vulnerable network, the attacker can identify and explore the user’s profile.

2
checkmarx.com     1 (800) 257-5746 

 ARE YOU ON TINDER? SOMEONE MAY BE WATCHING YOU SWIPE

Highlighted in green is the user ID, in yellow the photo resolution and the orange is a
random uuid.
Requests that are made with a 640x640 photo resolution while the user is browsing the
app lead to the profile currently shown on the user’s screen or about to be shown on
his/her screen. Requests with a 320x320 photo resolution are connected to the user
profile under attack. This is consistent in the iOS version of Tinder but only randomly
happens on the Android version.
Requests with a 84x84 photo resolution mean the user just opened a chat window (a
reduced version of the profile picture appears in the chat window).
The above demonstrates how using HTTP allows for snooping around a victim’s profile,
but it also allows an attacker to intercept and modify traffic. Profile images that the
victim sees can be swapped, rogue advertising can be placed and malicious content can
be injected (if, as an example, the targeted device suffers from an image format
vulnerability).
Demo: https://youtu.be/azg1Plb7U3c 
Recommendations:
We highly recommend switching HTTP to HTTPS. One might argue that this affects
speed quality, but when it comes to the privacy and sensitivity needed, speed should not
be the main concern.

3
checkmarx.com     1 (800) 257-5746 

 ARE YOU ON TINDER? SOMEONE MAY BE WATCHING YOU SWIPE
B) Predictable HTTPS Response Size
By carefully analyzing the traffic coming from the client to the API server and correlating
with the HTTP image requests traffic, it is possible for an attacker to determine not only
which image the user is seeing on Tinder, but also which action did the user take. This is
done by checking the API server’s encrypted response payload size to determine the
action.
This is how the traffic flow works in a nutshell:
1) Tinder is initialized and may (or may not) request a profile image from
http://images.gotinder.com
2) The app then makes many requests from the main profile photo to cache in the device
from http://images.gotinder.com
3) The app requests the secondary photos of the next profile to be shown (to speed things
up) from http://images.gotinder.com
4) User input is required, swipe left, right, or up
5) A request is made and a response is received from api.gotinder.com. The response size
changes for each action
6) If main photo cache is empty, the app can then go to (2) otherwise to (3)
By correlating the response payload size in (5) with the secondary image request in (3), an
attacker can conclude which action the user took for each profile he/she went through.

4
checkmarx.com     1 (800) 257-5746 

 ARE YOU ON TINDER? SOMEONE MAY BE WATCHING YOU SWIPE
The packets are sent from the Tinder app to the image server on port 80 (HTTP) and
replies from the API server on port 443 (HTTPS) after the user completed an action.
The first case, highlighted in orange, represents a swipe left (meaning “moving on to the
next profile”). First, the app requests two additional profile photos via HTTP, then the user
takes another action and the API server replies with a 278 byte encrypted response.
The second case, also highlighted orange, is similar however there was only one previous
HTTP request - again, 278 bytes for a left swipe.
In the third case, highlighted green, we see five previous additional profile image
requests, followed by a 374 byte response, indicating that the user has swiped right.
Finally, the forth case, highlighted in red, shows a “liked” and “matched” response, with
581 bytes, that followed three secondary profile HTTP requests. This way, by carefully
inspecting network traffic and monitoring what the user is doing, an attacker can pinpoint
each of the user’s actions.
It is important to note that while recently analyzing the Android app, the research team
noticed that the latest Tinder version has certificate pinning in place. This makes it harder
to analyze the HTTPS traffic to the API server (api.gotinder.com) even when a rogue
certificate authority has been installed on the device.
This is good news for the app’s Android users, given that communications to the API server
are properly secured via HTTPS, an attacker cannot simply snoop the traffic to analyze
what the Tinder app is sending to the server since it is encrypted. 
Recommendations:
User responses should not be predictable. Padding the requests and responses should
be considered in order to reduce the information available to an attacker. If the
responses were padded to a fixed size, it would be impossible to differentiate between
them. Otherwise, even those encrypted, the responses contain valuable information.

5
checkmarx.com     1 (800) 257-5746 

 ARE YOU ON TINDER? SOMEONE MAY BE WATCHING YOU SWIPE
C) Combining the Two Vulnerabilities
An attacker located in a public space with available WiFi (an airport, restaurant, etc.) can
log all HTTP traffic going to Tinder servers and analyze Tinder’s API server responses. This
means the attacker can collect information about all of the app’s users on the same WiFi
network. The attacker can follow how users are using the app in real time.
This attack method enables an attacker to blackmail vulnerable users; for example,
consider those users cheating on their significant others, users uploading sensitive images,
users declaring sensitive sexual information, and so on.

6
checkmarx.com     1 (800) 257-5746 

 ARE YOU ON TINDER? SOMEONE MAY BE WATCHING YOU SWIPE
CONCLUSION
It is possible for an attacker to take advantage of two apparently minor and unrelated
vulnerabilities in order to infer a Tinder user’s screen, completely invading the target’s
privacy. The assumption that HTTP can be used in a sensitive application must be
dropped.
Standard HTTP is vulnerable to eavesdropping and content modification, introducing
potential threats that might not even be related to the app itself but the underlying
operating system and/or used libraries.
HTTPS increases security overall and nowadays seems to be even faster than HTTP in
most cases. The use of HTTP allows for the escalation of other types of attacks, such as
the Response Size Predictability, shown in this paper.
We highly recommend our readers to be mindful of the likelihood of such attacks on their
privacy and to avoid public networks when possible, as these are highly vulnerable. 

ABOUT CHECKMARX
Checkmarx develops solutions used by developers and security professionals to identify and fix
vulnerabilities in web and mobile applications early in the development lifecycle. It provides an easy and
effective way for organizations to automate security testing within their Software Development Lifecycle
(SDLC) which systematically eliminates software risk before applications are released. Amongst the
company’s 1,000 customers are 5 of the world’s top 10 software vendors and many Fortune 500 and
government organizations, including SAP, Samsung, Salesforce.com and Coca Cola.
In 2017, Checkmarx acquired Codebashing - A Game-like AppSec training for developers solution.
For more information about Checkmarx, visit checkmarx.com or follow us on twitter: @checkmarx

For a free Codebashing interactive secure coding lesson- Click Here

7
checkmarx.com     1 (800) 257-5746