Contact Us: [email protected]
Call Us +60 3-7783 2000
Stay connected:

How I compromised Tinder accounts utilizing Facebook’s membership system and received $6,250 in bounties

This could be being published because of the consent of myspace underneath the liable disclosure approach.

The weaknesses mentioned through this article were plugged rapidly by the technology groups of Twitter and Tinder.

This post means an account takeover weakness i ran across in Tinder’s product. By exploiting this, an opponent may have gained usage of the victim’s Tinder account, whom will need made use of their particular phone number to log on.

This could possibly have already been abused through a weakness in Facebook’s membership Kit, which facebook or twitter has recently addressed.

Both Tinder’s cyberspace and cellular software let users to utilize the company’s cell phone amounts to sign in the service. Which go tool was provided by Account Kit (Facebook).

Connect to the internet Assistance Powered by Facebook’s Accountkit on Tinder

The person clicks in go browsing with telephone number on then these include redirected to for go browsing. When the authentication is prosperous after that accounts equipment goes the connection token to Tinder for sign on.

Interestingly, the Tinder API wasn’t examining the client identification about token provided by levels equipment.

This allowed the attacker to utilize another app’s entry token supplied by levels gear to take around genuine Tinder records of different users.

Susceptability Profile

Membership Kit is actually a solution of myspace that helps individuals fast register for and log in to some subscribed software using just their own phone numbers or email address without the need for a code sugar daddy. It really is trusted, intuitive, and offers an individual a variety about how exactly they will sign up for applications.

Tinder was a location-based mobile phone application for looking around and meeting other people. It allows users to enjoy or hate more users, following check out a chat if both parties swiped right.

There were a vulnerability in profile system through which an attacker perhaps have gained having access to any user’s accounts system levels just by utilizing their phone number. After in, the assailant could have obtained ahold regarding the user’s levels system accessibility token contained in her snacks (aks).

Afterwards, the assailant should use the access token (aks) to sign in the user’s Tinder levels using a weak API.

How your exploit worked step-by-step

Move #1

First the assailant would log into victim’s Account set profile by going into the victim’s contact number in “new_phone_number” for the API need demonstrated below.

Please note that accounts package had not been confirming the mapping from the contact numbers with their single password. The attacker could type in anyone’s telephone number and then simply log into the victim’s levels set profile.

Then the attacker could copy the victim’s “aks” access token of Account Kit app from cookies.

The prone Profile Set API:

Move number 2

These days the attacker just replays here request making use of duplicated gain access to keepsake “aks” of person in to the Tinder API below.

They are signed inside victim’s Tinder accounts. The attacker would consequently basically have actually whole control over the victim’s levels. They may read private talks, full private information, and swipe some other user’s users placed or appropriate, on top of other things.

Exposed Tinder API:

Videos Evidence Of Concept


Both vulnerabilities happened to be repaired by Tinder and facebook or twitter easily. Facebook rewarded myself with US $5,000, and Tinder awarded me personally with $1,250.

I’m the creator of AppSecure, a particular cyber safety team with several years of talent got and thorough resources. We’ve been right here to shield your enterprise and vital information from on the web and outside of the internet dangers or vulnerabilities.

If the document had been valuable, tweet they.

Learn how to code at no charge. freeCodeCamp’s open starting point program has assisted well over 40,000 customers come work as programmers. Get going

freeCodeCamp is actually a donor-supported tax-exempt 501(c)(3) not-for-profit planning (united states of america Federal Tax identity amount: 82-0779546)

All of our goal: to help people find out how to rule at no charge. We make this happen by producing countless films, content, and active code sessions – all freely available to your community. Most people in addition have countless freeCodeCamp research communities around the globe.

Contributions to freeCodeCamp become toward our personal knowledge projects which help pay money for machines, facilities, and people.

Add Comment

Your email address will not be published. Required fields are marked *