One of the world’s most popular dating apps is vulnerable to data theft from hackers, security researchers have revealed.
Researchers at vpnMentor found vulnerabilities in Tinder’s platform through use of their domain - with other online platforms such as Shopify, Yelp, Western Union also identified as being at risk.
“The DOM-XSS vulnerabilities found in Tinder, Shopify, Yelp, Western Union, and Imgur, and the data exposure risks created by them, exemplifies the risks that consumers are exposed to in browser-based applications,” says Rusty Carter, VP of Product Management at application-security company Arxan.
The vulnerability has been found by white hat hackers but in the wrong hands could be dangerous. Through adding a cross-site scripting flaw, which is available at go.tinder.com, malicious hackers could insert a piece of scripting code to steal user data and hijack accounts.
The multiple XSS vulnerabilities found by vpnMentor could be used to exploit not only the personal data of uses on these platforms, but also images, ecommerce and money transfers. The security flaw found is part of the branch.io internet tookit, which is widely used across the web and could put up to 685 million people at risk.
The magnitude of this vulnerability should not be underestimated. The Magecart airline breach in September 2018, through just a few lines of vulnerable coding, saw almost 400,000 people’s financial data exposed.
The security flaw was reported to branch.io who state they were able to patch the security issue before any user data was exposed or exploited, however the danger remains real. Dating app information, like that available in Tinder contains not only financial information but also data points such as sexual orientation and relationship status.
This security flaw has been patched as per current information available, however sheds important light on the continued importance of user data privacy.