MANILA, Philippines – Tinder vulnerabilities leave users wide open to being spied on, specifically via their ‘swipes’ and photos, according to a report by Wired. 

The vulnerabilities were revealed by Tel Aviv-based app security firm Checkmarx on Tuesday, January 23.

They found that these vulnerabilities allow hackers to see what photo a user is currently looking at, and then, whether the user swiped right (an approval), swiped left (a rejection) or matched with another user.

These vulnerabilities can be exploited by any individual that’s on the same WiFi network as the user. This means that Tinder users who care about their privacy would be smart not to connect to the app when on a public WiFi network.

The ability for strangers to see what photos a user is currently looking at is due to the fact that the app lacks basic HTTPS protection for photos. Other data on Tinder is HTTPS-encrypted but as the research firm has discovered, photos are still streamed unprotected. 

Swipe rights, swipe lefts, and matches are actually encrypted information – but not enough, the firm has discovered. In tests, the researchers were able to discern which is which because the file sizes of the said user operations are not encrypted. They were able to see that swipe rights are equivalent to 374 bytes; swipe lefts, 278 bytes; a match, 581 bytes. Combining these vulnerabilities, hackers can track a user’s behavior on the app. 

Checkmarx has notified Tinder about these vulnerabilities back in November, Wired reports, but yet they remain. Tinder issued a statement to Wired, saying that they’re working towards encrypting images on their app but said nothing about the exposed file sizes. Tinder also said that photos are public information to begin with. However, it’s a different thing when a third party is able to see what you’re currently seeing, along with specific interactions. – Rappler.com