A new kind of attack recently made the headlines, which presumably let attackers access Tinder accounts with just a phone number. This vulnerability was first discovered by Appsecure. Tinder seems to have taken measures to curb this vulnerability by changing its login system to protect against it. For this kind of attack to work, the attackers had to club together two separate vulnerabilities in order to gain access to accounts. Both the vulnerabilities have now been patched.
As mentioned earlier, vulnerabilities responsible for this attack lied in Facebook Account Kit system and Tinder itself. Facebook Account Kit System, in particular, exposed users’ access tokens by means of an API request from the associated phone number, leading to a security threat.
However, gaining these access tokens wasn’t enough for gaining access to Tinder accounts. But the way Tinder has implemented Facebook’s Account Kit System has its own problems. Tinder didn’t verify the access tokens with the client IDs, leading to anyone with a valid access token get full control of the associated Tinder account.
Appsecure found these vulnerabilities earlier this year and reported them to both Facebook and Tinder. In return, they received a bounty of $5,000 from Facebook in addition to $1,250 from Tinder. Responding to The Verge‘s request for comment, Facebook said: “We quickly addressed this issue, and we’re grateful to the researcher who brought it to our attention.”