Facebook Swipes a Tinder Account-Takeover Bug

Of all the online accounts you have, which one would you be least worried about if it gets compromised? No such incident should be taken lightly, but it must be said that the different accounts could give hackers different types of information, and some of it is more valuable than the rest.

If a profile on a messaging board gets hacked, for example, the repercussions will likely be insignificant, especially if you're using the said messaging board with a nickname. If your bank account gets popped, on the other hand, things are quite a bit different. But what about social media?

Most people use different social networking websites with their real identity, and their Facebook and Twitter profiles often contain tons of information that they wouldn't want falling into the wrong hands. With Tinder, leaked data could cause even more damage. That's why, the dating app's users should be thankful to Anand Prakash, a security researcher working for AppSecure. He discovered a bug that allowed him to take over quite a few Tinder accounts, but he decided not to exploit it.

Not many details are available in Prakash's Medium post, but the researcher did say that he disclosed the vulnerability and that it has now been patched. The bug actually lay in Facebook's Account Kit, an authentication system developed by the social media giant which lets users create and log into accounts using just a phone number or an email address. With Tinder, users who have Account Kit accounts can log in by entering their phone number and then typing the One Time Password (OTP) they receive via SMS.

Prakash discovered that after he logged into Tinder with his own phone number, Account Kit placed a cookie that contained an access token on his device. He then tried to modify the API requests and swapped his phone number with another one registered with Account Kit and used on Tinder. The researcher used the same access token and the same OTP, and he successfully logged into the Tinder account associated with the second phone number.

In that case, both phones belonged to Prakash, but you can clearly see how with nothing more than a phone number, a malicious actor could compromise an account. And if they do manage to get in, there are no limitations on what they can access. All the chat history and other personal details are there for the taking.

After they learned about the bug, Facebook and Tinder worked with Prakash to fix it, and they later granted him a total of $6,250 as a bug bounty award. All in all, it was an exemplary vulnerability disclosure, and the vendors also deserve a pat on the back for acting quickly.

Bugs will continue to appear in software, and there's nothing we can do about this. What we can hope for is that the good guys like Anand Prakash will be the ones that find them first.