INSUBCONTINENT EXCLUSIVE:
This week, Tinder responded to a letter from Oregon Senator Ron Wyden calling for the company to seal up security loopholes in its app
that could lead to blackmail and other privacy incursions.
In a letter to Sen
Wyden, Match Group General Counsel Jared Sine describes recent changes to the app, noting that as of June 19, &swipe data has been padded
such that all actions are now the same size.& Sine added that images on the mobile app are fully encrypted as of February 6, while images on
the web version of Tinder were already encrypted.
The Tinder issues were first called out in a report by a research team at Checkmarx
describing the app &disturbing vulnerabilities& and their propensity for blackmail:
The vulnerabilities, found in both the app Android and
iOS versions, allow an attacker using the same network as the user to monitor the user every move on the app
It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue
advertising or other type of malicious content (as demonstrated in the research).
While no credential theft and no immediate financial
impact are involved in this process, an attacker targeting a vulnerable user can blackmail the victim, threatening to expose highly private
information from the user Tinder profile and actions in the app.
In February, Wyden called for Tinder to address the vulnerability by
encrypting all data that moves between its servers and the app and by padding data to obscure it from hackers
In a statement to TechCrunch at the time, Tinder indicated that it heard Sen
Wyden concerns and had recently implemented encryption for profile photos in the interest of moving toward deepening its privacy
practices.
&Like every technology company, we are constantly working to improve our defenses in the battle against malicious hackers and
cyber criminals,& Sine said in the letter
&… Our goal is to have protocols and systems that not only meet, but exceed industry best practices.&
