Lurkers sharing an unsecured Wi-Fi network with you could see when you're swiping right or left on Tinder and when you start a chat with someone, according to security research published Tuesday.
"It’s very simple to execute because the problem is, Tinder actually neglected to encrypt some of the data," Amit Ashbel, director of product marketing with the security firm Checkmarx, which led the study, told BuzzFeed News. "You just have to listen to the network and you’ll have the images available to you."
As Wired first reported, because Tinder doesn't encrypt profile images on its app, a hacker can snoop around a user's profile and see their profile images and the images of other users that they view while they are connected to an open Wi-Fi network, according to Checkmarx's research. A hacker might also be able to swap out images a user sees, insert ads, or insert malware disguised as an image. But images aren't the only part of the data that is unencrypted, said Ashbel. A snoop could see when a chat is initiated — but the text in the chat is not exposed because it's encrypted, he said.
A hacker on the same open network could also see when a user swipes left, right, or up to "super like" someone — Tinder does encrypt this data, but the encrypted text for each action has a distinct length, so it would be easy to use that to determine how someone swipes on a profile.
Tinder does not disclose details about its security tools "to avoid tipping off would-be hackers," a company spokesperson told BuzzFeed News. But it said it takes the security and privacy of users seriously.
"Like every other technology company, we are constantly improving our defenses in the battle against malicious hackers," the spokesperson said. "For example, our desktop and mobile web platforms already encrypt profile images, and we are working towards encrypting images on our app experience as well."
A YouTube video of the test shows how a creative hacker would be able to see exactly what a victim sees on their screen, along with what action they took on a particular profile.
"The victim has no way to know someone is actually watching them," Yalon told BuzzFeed News. "There is no way to avoid this and no way to know its happening."
However, there is a way to avoid this kind of lurking: Only use Tinder when you're on a secure connection. Because someone could only exploit this vulnerability from a shared network, it's not that easy for someone to actually lurk on your Tinder profile.
"If you don't want people to know what's going on in your Tinder account, preferably use a secure Wi-Fi network," Ashbel said. "The second one is what I recommend to all my friends, is anything you don't want visible to all people, don't do on a network-connected device."
Checkmarx said that Tinder should not rely on HTTP for its app, which includes sensitive personal information about its users, like their sexual preferences, age, location, and employer. Instead, Ashbel and Yalon said Tinder should exclusively use encrypted connections for its entire app.
"We know there is no data theft in this case; it’s just a privacy invasion, a privacy invasion creative hackers can easily leverage," said Ashbel.