Tinder: How Your Secret Chats and Dating Profiles Could Be Hacked

The dating app Tinder is shown on an Apple iPhone in this photo illustration taken February 10, 2016 REUTERS/Mike Blake

Dating application Tinder helps users find love - and flings - but a researcher revealed this week that an easy-to-exploit security bug recently left accounts and private chats exposed to hackers.

Indian engineer Anand Prakash, a serial bug hunter, said in a Medium post on Wednesday, February 20, that a flaw in a Facebook-linked program called Account Kit let attackers access profiles armed with just a phone number.

Account Kit, implemented into Tinder, is used by developers to let users log in to a range of apps using mobile details or email addresses without a password.

But there was, until recently, a crack in this process that, according to Prakash, could let hackers compromise "access tokens" from users' cookies – small pieces of data on computers that remember browsing activity as people traverse the internet. The attacker could then exploit a bug in Tinder to use the token, which stores security details, and log in to the dating account with little fuss.

"The attacker basically has full control over the victim's account now," Prakash wrote. "He can read private chats, full personal information, swipe other user profiles left or right."

The ethical hacker, who has in the past been awarded for finding bugs in popular sites, said the issues were quickly resolved after being disclosed responsibly. Under the conditions of the bug bounty, Prakash got $5,000 from Facebook and $1,250 from Tinder. He uploaded a short YouTube video showing the hack in action.

Bug bounties are increasingly used by online companies to let researchers report security issues in exchange for financial rewards.

In a statement to The Verge, a Facebook spokesperson said: "We quickly addressed this issue and we're grateful to the researcher who brought it to our attention."

Tinder said it does not discuss security issues that could "tip off malicious hackers."

Earlier this year, on January 23, a different set of "disturbing" vulnerabilities were found in Tinder's Android and iOS apps by Checkmarx Security Research Team.

Experts said hackers could use them to take control of profile pictures and swap them for "inappropriate content, rogue advertising or other type of malicious content." The firm claimed that nefarious attackers could "monitor the user's every move" on the application.

It wrote at the time: "An attacker targeting a vulnerable user can blackmail the victim, threatening to expose highly private information from the user's Tinder profile and actions in the app."

Tinder, first launched in 2012, now boasts an estimated 50m users worldwide, with roughly 40 percent based in North America. On its website, it claims to facilitate 1m dates every week, with users hitting 1.6bn swipes per day.