Security researchers at Kaspersky Lab say that a number of popular dating apps are vulnerable to up to three types of attack, potentially revealing anything from user location to full identity and employer …
The first approach tested was to see whether data users had chosen to share in the app could be cross-referenced with social media to identify people. The most dangerous information to reveal, they found, was your job and education.
In Tinder, Happn and Bumble users can add information about their job and education. Using that information, we managed in 60% of cases to identify users’ pages on various social media, including Facebook and LinkedIn, as well as their full names and surnames.
Second was location-tracking. Any app that shows the distance between an attacker and a dating site member can be used to triangulate their location.
In theory, this would be tricky to do as you’d need to move around a lot while your target remained in one place, and the vague distances used by some services would mean many more measurements would be needed. But Kaspersky found a simple way around this.
The services themselves simplify the task: an attacker can remain in one place, while feeding fake coordinates to a service, each time receiving data about the distance to the profile owner.
Finally, they found that a number of services don’t encrypt all communications. Taking advantage of this fact would require a man-in-the-middle attack – where the bad guys create a fake version of a public WiFi hotspot and then search the traffic – but this is not entirely uncommon.
Badoo, for example, doesn’t use HTTPS for photos. By examining the photos viewed, it would be possible to work out which profiles were being viewed. Mamba was even worse, not using HTTPS at all, allowing all data to be captured, including login credentials.
The real-life risks from these weaknesses seem relatively low, but a couple of them are worthy of note. If you want a dating profile to remain anonymous, you probably want to be suitably vague about your work and educational achievements.
Similarly, it’s never a good idea to login to any sensitive service – be it a dating site or online banking – on a public hotspot unless you are 100% confident you know it’s the real deal. Switching off WiFi and connecting via mobile data is the safer approach.