Skip to main content

Hackers can see your Tinder photos and figure out your matches

Hackers can see your Tinder photos and figure out your matches

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Tinder-app-stock-Dec2015-verge-06

Tinder isn’t using encryption to keep your photos safe from strangers who are sharing the same coffee shop Wi-Fi as you, security researchers found in a report today. Researchers from the Tel Aviv-based firm Checkmarx found that Tinder’s iOS and Android mobile apps still lack basic HTTPS encryption, meaning that anyone sharing the same Wi-Fi as you can see your Tinder photos or add their own into the photostream.

The firm built a proof-of-concept app called TinderDrift, demoed on YouTube, that can reconstruct a user’s session on Tinder if that person is sharing the same Wi-Fi. Although swipes and matches on Tinder remain HTTPS-encrypted, potential hackers on the network can still tell encrypted commands apart due to the specific patterns of bytes that represent a left swipe, a right swipe, a Super Like, and a match, according to Checkmarx.

The researchers say that by combining the intercepted photos with the monitoring of the encrypted commands, hackers could figure out almost everything a Tinder user is seeing and doing. Checkmarx also suggests that hackers with knowledge of a user’s sexual preferences and other private information could potentially blackmail users, or swap the photos a user sees for inappropriate content or rogue advertising. The only thing that remains private is messages and photos sent between users after a match.

HTTPS encryption is a standard protocol used by most websites these days, according to statistics from Mozilla. As of January this year, 68 percent of the internet is encrypted with HTTPS. That means there’s a secure lock symbol next to the URL in your address bar; and while HTTPS isn’t foolproof, it’s still basic protection from hackers.

Tinder responded in a statement to The Verge that the unencrypted photos are profile pictures, and Tinder is a free global platform, so the pictures are “available to anyone swiping on the app” anyway.

It hinted at working on more security measures: “Like every other technology company, we are constantly improving our defenses in the battle against malicious hackers. For example, our desktop and mobile web platforms already encrypt profile images, and we are working towards encrypting images on our app experience as well.”

Tinder also added that it wouldn’t give out any specific information about what those improved defenses would look like, saying, “However, we do not go into any further detail on the specific security tools we use or enhancements we may implement to avoid tipping off would-be hackers.”