Checkmarx researchers disclosed two flaws (CVE-2018-6017, CVE-2018-6018) and a proof of concept (see video below) for an app that could sit on the wireless network of, say, an airport or hotel and observe actions including profile views, swipes, and likes.
The first issue, CVE-2018-6017, results from the Tinder’s app’s use of insecure HTTP connections to access profile pictures. By observing traffic on a public Wi-Fi network (or some other snooping position on a network), a miscreant could see what profiles are being viewed and match them with the victim’s device. If a scumbag has compromised the network when the victim turns on the Tinder app, the victim’s profile information could also be intercepted and viewed.
The second flaw, CVE-2018-6018, is what allows the attacker to see specific actions like swipes and likes. Though the Tinder API uses HTTPS connections for traffic it handles, the specific actions each move their encrypted packets with a set length.
By checking packets for specific byte sizes (278 bytes for a left swipe to reject, 374 bytes for a right swipe to approve, and 581 bytes for a like), the attacker could combine the actions with the unsecured HTTP profile and photo traffic to work out who is swiping who.
The recommendation for users is simple enough: avoid public Wi-Fi networks wherever possible. Developers, meanwhile, should take steps to make sure all app traffic is secured.