The revelation this week that dating app Tinder lacks basic encryption—meaning someone could discover whose profile you’ve viewed and which way you’re swiping—has sparked some understandable alarm and outrage. The reality is even scarier: It’s not a new discovery, and it’s not just Tinder.
Though Checkmarx, the security company that demonstrated the issue this week, reportedly notified Tinder back in November, Wired reports, its use of HTTP instead of the more secure HTTPS hasn’t changed. Users’ photos are still fetched via an unencrypted connection, meaning anyone else on the network—say, someone sitting in the same cafe—can intercept them, revealing the swiper’s sexual and dating preferences. And although “events” in the app are encrypted, the size of the server’s response to different user actions varies. Once the researchers worked out that swiping left, right, matching, and “super liking” each added up to a different number of bytes, they were able to use those patterns determine who users were interested in, who they were very interested in, and who had reciprocated.
To prove their point, the researchers built TinderDrift, a piece of software that exploits both vulnerabilities, allowing you to see, in real time, any Tinder sessions happening on the Wi-Fi network you’re connected to, as they demoed in the video below:
Perhaps the most worrying part of this story is that, while TinderDrift is new, public knowledge of the problem isn’t. Business Insider reported on property startup Rentify’s discovery that “Tinder stores all of its users’ photos in an unsecured format” almost a year ago, while Gizmodo documented this and other vulnerabilities in October. A Tinder spokesperson quoted in this week’s Wired article stated that the company is “working towards encrypting images” on the app, and pointed out that the browser-based version of Tinder does use HTTPS—but given that the majority of users access Tinder through their phones, that amounts to little comfort.
Unfortunately, switching where you swipe won’t make your data any safer: A broader investigation by Russian security researchers from Kaspersky Lab in October 2017 exposed similar issues in dating apps like Bumble, Badoo, Paktor, and Zoosk. (None of these companies has so far responded to Slate’s repeated requests for comment.)
To be clear, these failings are not the norm. Compared to other apps and websites, dating platforms seem almost uniquely insecure, and there’s really no reason for them to be. HTTPS has been around for more than 20 years, and has been adopted by virtually every major tech company (and 68 percent of the internet overall) thanks to a combination of public pressure and incentives—Google even prioritizes pages that use it in its search results. Yet Tinder has failed to get fully on board, even 10 months after Rentify’s CEO bragged about using the vulnerability to replace photos of his employees’ would-be matches with photos of himself scowling in disapproval (a tactic he described as the best way “to remove the incentive for being on Tinder in the workplace,” as well as a stunning showcase of the potential for this vulnerability to be exploited).
The Kaspersky study revealed that for some of these apps, more than just your photos are at risk of exposure or manipulation. The advertising module used by Zoosk—a platform that boasts more than 30 million downloads—sends requests containing user data in an unencrypted format. By intercepting these requests, the researchers could see a given user’s age, gender, smartphone model, and even GPS coordinates. And the in-app banners themselves, like the Tinder pics swapped out by Rentify’s CEO, can be changed by anyone with control over the Wi-Fi access point, allowing hackers (or proprietors) to replace legitimate ads with malicious ones.
There is at least one dating app that has avoided these problems. SCRUFF, which is frequented by more than 10 million gay and bisexual men and in 2013 became the first app with a community feature for trans members, has long dealt with sensitive information like users’ HIV status, sexuality, and gender identity. Its founders are acutely aware of the risks, and have worked hard to keep their users safe. “SCRUFF uses HTTPS to transmit image data and other user information between its clients and its servers,” co-founder and CEO Eric Silverberg told me.
SCRUFF has also gone further than that to look out for its user base, which spans 180 countries: If, for example, someone decides to hide his location from his profile, his coordinates are also scrambled on the app’s servers. The company also maintains an index of Gay Travel Advisories, and alerts let travelers know if they’re in a place where homosexual acts are criminalized. “Gay men face threats to their safety, both emotional and physical, in communities throughout our country and the world,” said Silverberg, “which is why SCRUFF has incorporated security into our architecture and our product design from the very beginning.” (I asked Grindr, which also caters to gay and bisexual men, whether it uses HTTPS. A representative for the company said she was “unable to get a response at this time.”)
Silverberg speculated that Tinder opted for HTTP “for cost purposes, since HTTP content is more easily cached.” Conscious of bots, scammers, spammers, and more serious risks to LGBTQ users’ safety, SCRUFF took a different approach. “Ultimately, security is not a feature you add to a product, like spell check is added to a word processor,” Silverberg said, crediting “smart technical leadership” from the app’s early days for its success on this front. “Security is instead a series of interlocking decisions that build on each other and guide future decisions. Transmission protocols like HTTPS are just one part; server configuration, network architecture, and employee protocols are just as important.”
As TinderDrift has made clear, it’s time for the rest of these platforms to get with the program, particularly as they attempt to court LGBTQ users—the lexical support is increasingly there, but security remains a critical issue.
While it’s true that early integration is preferable to tacking on a solution, Checkmarx has suggested viable fixes for Tinder, including photo encryption and “padding” of responses to user actions so that you can’t differentiate between swipes and matches based on bytes alone. It—and the many other apps that have been implicated in similar studies—would do well to listen.
