How I compromised Tinder records using Facebook’s membership equipment and garnered $6,250 in bounties

How I compromised Tinder records using Facebook’s membership equipment and garnered $6,250 in bounties

This can be being posted with the approval of facebook or twitter underneath the responsible disclosure plan.

The vulnerabilities discussed with this post comprise connected quickly from the engineering groups of zynga and Tinder.

This article is all about a free account takeover weakness I discovered in Tinder’s program. By exploiting this, an opponent perhaps have achieved the means to access the victim’s Tinder membership, that will need to have put his or her number to visit.

This might currently used through a weakness in Facebook’s Account package, which facebook or myspace has dealt with.

Both Tinder’s website and mobile solutions allow people to work with her cell phone data to log into the service. And that connect to the internet assistance try provided by accounts Kit (myspace).

Go browsing Program Run On Facebook’s Accountkit on Tinder

The consumer clicks over connect to the internet with Phone Number on immediately after which these are typically rerouted to for login. When the verification is prosperous subsequently levels system moves the access token to Tinder for connect to the internet.

Surprisingly, the Tinder API wasn’t verifying the client identification document from the token offered by levels gear.

This allowed the assailant to work with every other app’s access token supplied by accounts package to take around real Tinder records of various other consumers.

Vulnerability Meaning

Account Kit is actually something of zynga that permits visitors rapidly use and log on to some signed up apps through the help of just their own cell phone numbers or emails without resorting to a code. It is reliable, user-friendly, and offers you a choice precisely how they need to subscribe to apps.

Tinder happens to be a location-based mobile phone app for searching and meeting others. It permits people to love or dislike more consumers, and go on to a chat if each party swiped suitable.

There was clearly a susceptability in accounts equipment whereby an assailant could have gained use of any user’s profile gear account by simply employing their contact number. Once in, the opponent may have become ahold regarding the user’s membership equipment gain access to token contained in their particular cookies (aks).

Afterward, the assailant can use the access token (aks) to sign in the user’s Tinder levels using a vulnerable API.

How my exploit functioned bit-by-bit

Move no. 1

Initial the opponent would sign in victim’s Account Kit account by entering the victim’s number in “new_phone_number” inside the API inquire revealed below.

Take note that profile set was not validating the mapping of the names and numbers their one-time password. The assailant could get into anyone’s contact number immediately after which just sign in the victim’s membership gear accounts.

Then the attacker could copy the victim’s “aks” access token of Account Kit app from cookies.

The susceptible Account Kit API:

Action #2

These days the attacker just replays the following consult using the copied availability token “aks” of person inside Tinder API below.

They will be signed to the victim’s Tinder profile. The opponent would next generally have actually full power over the victim’s accounts. They can study private talks, complete information, and swipe various other user’s pages placed or correct, on top of other things.

Prone Tinder API:

Movie Evidence Of Concept


The vulnerabilities are repaired by Tinder and zynga fast. Twitter rewarded me personally with our team $5,000, and Tinder honored me with $1,250.

I’m the creator of AppSecure, a skilled cyber protection company with numerous years of skill obtained and careful expertise. We are below to guard your small business and crucial reports from online and off-line threats or weaknesses.

If this type of document am useful, tweet it.

Find out how to code at no charge. freeCodeCamp’s open starting point curriculum possess helped to much more than 40,000 everyone collect jobs as creators. Start

freeCodeCamp try a donor-supported tax-exempt 501(c)(3) not-for-profit group (U . S . government Tax Identification amount: 82-0779546)

All of our mission: to help individuals try to signal completely free. You accomplish this by promoting 1000s of video, pages, and active programming courses – all freely available on the people. We do have many freeCodeCamp research groups all over the world.

Contributions to freeCodeCamp go toward our personal degree projects and help shell out money for servers, treatments, and workers.