Security researchers with Kaspersky Lab have disclosed that a number of popular dating apps are vulnerable to a variety of attacks that can reveal personal user details including full names, the name of your employer and even your location.
In four of the top nine online dating apps investigated (Tinder, Bumble, OkCupid, Badoo, Mamba, Zoosk, Happn, WeChat and Paktor), researchers were able to determine a user’s true identity based on data provided in profiles. By knowing your employer, field of study or where you went to school, it was possible to find users’ social media accounts and thus learn real names.
Kaspersky says they could identify Happn and Paktor users on other social media sites 100 percent of the time. The success rate dropped to 60 percent and 50 percent for Tinder and Bumble, respectively, which is still quite significant.
Six of the nine aforementioned apps reveal some form of location data on users, such as the distance between you and a person you’re interested in. By moving around and logging data about the distance between two users, it’s “easy to determine the exact location” of the “prey.”
Happn seems to be the worst offender, revealing details like how many meters separate you from other users. The app even shows the number of times two people have crossed paths, making it even easier to track someone down.
Most of the apps Kaspersky looked into transfer data to a server over an SSL-encrypted channel but that’s not always the case. The analytics model used in the Android version of Mamba does not encrypt data about the mobile device being used while the iOS version transfers all data – including messages – in an unencrypted nature.
Tinder, Paktor, Bumble for Android and Badoo for iOS, meanwhile, upload photos via HTTP which can allow an attacker to determine which profiles a potential victim is browsing.
Worse yet, researchers found that five of the nine apps were vulnerable to man-in-the-middle attacks because they did not verify certificate authenticity. Almost all of the apps authorize through Facebook, meaning the lack of certificate verification can lead to the theft of a temporary authorization key (a token). This can give a criminal access to social media account data for up to three weeks or so, Kaspersky said.
Android users have even more to be worried about as eight of the nine apps studied provide “too much information to cybercriminals with superuser access rights.” This is largely only a concern for Android users as malware that gains root access in iOS is rare.
With such access, researchers were able to get authorization tokens for social media from almost every Android dating app tested. Credentials were encrypted although the decryption key was easily obtainable from the app itself. Apps like Tinder, Bumble, OkCupid, Badoo, Happn and Paktor all store message history and user photos with their tokens, thus hackers with superuser access can easily view such confidential information.
Kaspersky said it informed developers of its findings in advance, adding that some had already fixed issues and others were still working on corrections.
While some of these apps certainly need to step their security up, the biggest takeaway here is to simply be cognizant of the data that you’re volunteering on dating profiles. Should you want your dating profile to be somewhat anonymous, you need to be as vague as possible with regard to sharing details about yourself (save those for the first date, for example). If there’s one thing to realize in this post-Snowden era, it’s that the expectation of reasonable privacy shouldn’t really be expected. Anything you say or do that’s transmitted over the Internet can likely be traced back to you.