How much are you sharing when you swipe?

A new report reveals major vulnerabilities on Tinder, which make it easy for a hacker on a shared wifi network to “look over your shoulder” as you swipe.

A new report from security researchers at Checkmarx revealed a couple of major vulnerabilities on Tinder that make it fairly simple for an attacker using the same wifi network as a user (AKA, someone at your local coffee shop) to monitor their every swipe and control the profiles a user sees.

It’s not a matter of credit theft or financial threat. We’re talking about the kind of stuff that’s used for blackmail: people cheating on their significant others, sexual orientation, even *hushed voice* nuuudeees

You down with HTTP?

One of the main weaknesses stems from the insecure, unencrypted “HTTP” connection Tinder uses to load profile pictures.

This makes it possible for a hacker to essentially “look over your shoulder” at who you’re seeing and how you’re swiping — and allows them to swap in images of their choice, like ads or other inappropriate content.

Implementing a basic HTTPS encryption for Tinder’s platform isn’t exactly “cutting-edge” security technology, it’s standard fare (75% of Google Chrome’s web traffic on Mac is encrypted).

Yet, other dating apps have the same issues

Turns out, popular gay dating app Grindr has the same security flaw with its images, plus one that allows third parties to track the app users’ location down to the foot, even if they opt out of location sharing in the user settings.

Grindr’s case is particularly concerning given its $254m buyout by Chinese technology firm the Kunlun Group. The Chinese government is notorious for stealing data from its citizens and businesses — and Grindr isn’t exactly making it hard for them.

You know who doesn’t have that problem? Pornhub.

That’s right folks, the adult streaming site takes their position as the 36th most visited site in the world preeetty seriously — as of last March, all their pages (and those of sister company YouPorn) are encrypted by default.

“It is our duty to ensure the confidentiality and safety of our users,” said Brad Burns, VP of YouPorn. That’ll do Brad, that’ll do.

Get the 5-minute roundup you’ll actually read in your inbox​

Business and tech news in 5 minutes or less​

Psst

How'd Bezos build a billion dollar empire?

In 1994, Jeff Bezos discovered a shocking stat: Internet usage grew 2,300% per year.

Data shows where markets are headed.

And that’s why we built Trends — to show you up-and-coming market opportunities about to explode. Interested?

[email-submission-form button-text="Join Free" include-trends-opt-in="true" success-url="https://thehustle.co/new-thank-you-v2/" default-source="thehustleco" default-medium="home-exit-popup" default-campaign="home-page" form-id="exit-popup-general" optinmonster-conversion="true"]
<script type="text/javascript"> var onloadCallback = function() { grecaptcha.render('verify-your-humanity', { 'sitekey' : '6LdddrcZAAAAALyttpvOqiwQGwq5BNhgDz4tMQGE' }); }; function getCookieValue(a) { var b = document.cookie.match('(^|[^;]+)\\s*' + a + '\\s*=\\s*([^;]+)'); return b ? atob(decodeURIComponent(b.pop())) : ''; } function getCookie(name) { var cookieArr = document.cookie.split(";"); for(var i = 0; i < cookieArr.length; i++) { var cookiePair = cookieArr[i].split("="); if(name == cookiePair[0].trim()) { return decodeURIComponent(cookiePair[1]); } } return null; } function setHiddenFieldValue(wrappingDiv, searchParams, className, utmName, cookieName, defaultValue) { var el = wrappingDiv.getElementsByClassName(className)[0]; var existingVal = el.getAttribute('value'); if (utmName == 'ref') { var newVal = searchParams.get(utmName) || getCookie(cookieName); } else { var newVal = searchParams.get(utmName) || getCookieValue(cookieName); } if ((existingVal == null || existingVal == '' || existingVal == defaultValue) && (newVal != null && newVal != '')) { el.setAttribute('value', newVal); } } function setHiddenFieldValueFromUtm( wrappingDiv, searchParams, className, utmName, defaultValue ) { var el = wrappingDiv.getElementsByClassName(className)[0]; if (el != null) { var existingVal = el.getAttribute("value"); var newVal = searchParams.get(utmName); if (newVal != null && newVal != "") { el.setAttribute("value", newVal); } } } function initForm() { var wrappingDivs = document.getElementsByClassName('email-submission'); Array.prototype.forEach.call(wrappingDivs,wrappingDiv => { var sp = new URLSearchParams(window.location.search); setHiddenFieldValue(wrappingDiv, sp, 'funnel-source', 'utm_source', 'funnel_source', 'thehustleco'); setHiddenFieldValue(wrappingDiv, sp, 'funnel-campaign', 'utm_campaign', 'funnel_campaign', 'home-page'); setHiddenFieldValue(wrappingDiv, sp, 'funnel-medium', 'utm_medium', 'funnel_medium', 'home-exit-popup'); setHiddenFieldValue(wrappingDiv, sp, 'funnel-referral', 'ref', 'funnel_referral', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-a', 'a', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-c', 'c', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-o', 'o', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-oc', 'oc', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-e', 'e', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-f', 'f', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-r', 'r', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-t', 't', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-s1', 's1', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-s2', 's2', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-s3', 's3', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-s4', 's4', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-s5', 's5', ''); var error_message = getCookieValue('validate-email-message'); if (error_message && error_message.trim() != '') { var error = wrappingDiv.getElementsByClassName('funnel-error')[0]; var prev_email = getCookieValue('funnel_email'); error_message = prev_email + " is not valid. Please try again"; error.innerHTML = error_message; error.style = ''; } }); if (false) { initCaptchaFormV2(); } } function initCaptchaFormV2() { var v3RecaptchaResponseEl = document.getElementById('recaptcha-response-v3'); v3RecaptchaResponseEl.parentNode.removeChild(v3RecaptchaResponseEl); var wrappingDiv = document.getElementById('email-submission'); var subForm = wrappingDiv.getElementsByClassName('email-submission')[0]; var captchaVersion = document.createElement('input'); captchaVersion.class = 'g-recaptcha hidden-input'; captchaVersion.type = 'hidden'; captchaVersion.name = 'g-recaptcha-response-v2'; captchaVersion.value = 'true'; subForm.appendChild(captchaVersion); var captchaEl = document.createElement('div'); captchaEl.id = 'verify-your-humanity'; subForm.prepend(captchaEl); var captchaApiScriptEl = document.createElement('script'); captchaApiScriptEl.src = 'https://www.recaptcha.net/recaptcha/api.js?onload=onloadCallback&render=explicit'; captchaApiScriptEl.async = true; captchaApiScriptEl.defer = true; document.head.appendChild(captchaApiScriptEl); } window.addEventListener('DOMContentLoaded', (event) => { initForm(); }); if(typeof hp_interval == 'undefined') { var hp_interval = 0; var hp_ts = 0; var hp_try = 0; jQuery(document).ready(function ($) { hp_interval = setInterval(function(){ $('input.hp_ts').val(hp_ts); hp_ts += 1; if(hp_ts >= 180) { clearInterval(hp_interval); } },1000); $('.email-submission:not(.prevent-default)').submit(function (e) { var form = $(this); if(hp_ts < 3 && hp_try < 1) { e.preventDefault(); if (form.find('.email-form-submit-message').length < 1) { form.find('.email-form-wrap').after('<p class="email-form-submit-message" style="padding: 0em 1.5em;">Too fast! Are you a human? Try again please.</p>'); } hp_try += 1; hp_ts = 0; $('input.hp_try').val(hp_try); } }); }); } </script> <div class="email-signup" id=email-submission> <div class="funnel-error" style="display:none;"></div> <form class="email-submission " id="exit-popup-general" action="https://cms.thehustle.co/api/v1/contacts/wordpress_create" method="post" autocomplete="email"> <div class="email-form-wrap"> <input class="funnel-source hidden-input" type="hidden" name="source" value="daily"> <input class="funnel-campaign hidden-input" type="hidden" name="campaign" value="1/24 - tinder security"> <input class="funnel-medium hidden-input" type="hidden" name="medium" value="email"> <input class="funnel-form-id hidden-input" type="hidden" name="form-id" value="exit-popup-general"> <input class="funnel-referral hidden-input" type="hidden" name="referral_code"> <input class="funnel-fail-url hidden-input" type="hidden" name="fail_url" value=""> <input class="funnel-ip-country-wordpress hidden-input" type="hidden" name="ip_country_wordpress" value="US"> <input class="funnel-submission-url hidden-input" type="hidden" name="submission_url" value="https://thehustle.co/tinder-security-flaws/?utm_source=daily&utm_medium=email&utm_campaign=1%2F24%20-%20tinder%20security&utm_content=tinder-security-flaws"> <input class="funnel-a hidden-input" type="hidden" name="a" value=""> <input class="funnel-c hidden-input" type="hidden" name="c" value=""> <input class="funnel-o hidden-input" type="hidden" name="o" value=""> <input class="funnel-oc hidden-input" type="hidden" name="oc" value=""> <input class="funnel-e hidden-input" type="hidden" name="e" value=""> <input class="funnel-f hidden-input" type="hidden" name="f" value=""> <input class="funnel-r hidden-input" type="hidden" name="r" value=""> <input class="funnel-t hidden-input" type="hidden" name="t" value=""> <input class="funnel-s1 hidden-input" type="hidden" name="s1" value=""> <input class="funnel-s2 hidden-input" type="hidden" name="s2" value=""> <input class="funnel-s3 hidden-input" type="hidden" name="s3" value=""> <input class="funnel-s4 hidden-input" type="hidden" name="s4" value=""> <input class="funnel-s5 hidden-input" type="hidden" name="s5" value=""> <input class="funnel-success-url hidden-input" type="hidden" name="success_url" value="https://thehustle.co/new-thank-you-v2/"> <input id="recaptcha-response-v3" class="g-recaptcha hidden-input" type="hidden" name="g-recaptcha-response" value=""> <div class="signup-icon" style="display:none;"> <svg width="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M22 6c0-1.1-.9-2-2-2H4c-1.1 0-2 .9-2 2v12c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V6Zm-2 0-8 5-8-5h16Zm0 12H4V8l8 5 8-5v10Z" fill="#848B92"></path></svg> </div> <input type="hidden" name="hp_ts" class="hp_ts" value="0"> <input type="hidden" name="hp_try" class="hp_try" value="0"> <input type="text" name="first_name" placeholder="Enter your name" value=""> <input class="signup-email" type="email" name="email" placeholder="Your email address" required autocomplete="email"> <input class="email-submit om-trigger-conversion" type="submit" value="Join Free"> </div> <div class="validate-mistake-emails-message" style="display:none;"></div> <div class="form-options" style="display:none"> <div class="form-options-wrap"> <div class="trends-opt-in"> <input id="trends_opt_in_email_submission" class="trends-opt-in-checkbox" type="checkbox" name="trends_opt_in"> <label for="trends_opt_in_email_submission" id="trends_opt_in_label" class="trends-opt-in-text">Yes, I’d like to receive additional marketing emails on hot business opportunities from Trends, by the Hustle.</label> </div> <div class="privacy-text"> <p>We're committed to your privacy. The Hustle uses the information you provide to contact you about our relevant content and services. You may unsubscribe from these communications at any time. For more information, check out our <a href="https://thehustle.co/privacy">Privacy Policy</a>.</p> </div> </div> </div> <div submit-success> <template type="amp-mustache"> <p class="c-message c-message--success">Thank you for subscribing.</p> </template> </div> <div submit-error> <template type="amp-mustache"> <p class="c-message c-message--failed">Your submission failed. Please try again!</p> </template> </div> </form> </div>