Kaspersky Researchers Uncover Flaws in Popular Dating Apps Like Tinder, OkCupid, and Bumble

October 26, 2017, 12:32 AM UTC

Popular dating apps such as OkCupid, Tinder, and Bumble have vulnerabilities that make users’ personal information potentially accessible to stalkers, black mailers, and hackers.
The security lapses, which vary in terms of their severity and feasibility, could expose people’s names, login information, location, message history, and other account activity, warned researchers at Kaspersky Lab, a Moscow-based cybersecurity firm that’s been the subject of recent controversy in the U.S., in a new report.

“We are not going to discourage people from using dating apps, but we would like to give some recommendations on how to use them more safely,” the researchers said. They looked at a total of nine mobile match-making services that, in addition to the ones named above, included Badoo, Mamba, Zoosk, Happn, WeChat, and Paktor.

(The companies either did not immediately respond to Fortune’s request for more information, or did not provide an official comment.)

The first flaw allowed the researchers to de-anonymize, or unmask, people’s real identities. They used public profile information, such as education and employment history, which romance-seekers have the option to list on Tinder, Happn, and Bumble, to identify their accounts on other social networks.

“Using that information, we managed in 60% of cases to identify users’ pages on various social media, including Facebook and LinkedIn, as well as their full names and surnames,” the researchers said. Linked Instagram accounts, a common feature on many of these services, helped the team pursue leads too.

With full names and profiles at hand, there’s nothing to stop a creep from harassing a target through another social channel.

Get Data Sheet, Fortune’s technology newsletter

Another set of weaknesses in the apps allowed the researchers to pinpoint people’s whereabouts. The trick involved using information about the distance from a potential match to triangulate a person’s actual location.

“An attacker can remain in one place, while feeding fake coordinates to a service, each time receiving data about the distance to the profile owner,” the researchers said, noting that Tinder, Mamba, Zoosk, Happn, WeChat, and Paktor were the most vulnerable to this sort of potential privacy breach. (Earlier studies have called attention to this threat, the researchers pointed out.)

The most compelling vulnerabilities uncovered by the Kaspersky crew, however, involved encryption of traffic, or lack thereof, between phones and dating app servers. While most of the apps used HTTPS—a more secure, encrypted way to transmit data—Tinder, Paktor, and Bumble’s Android app, and Badoo’s iOS app used barebones HTTP—a protocol vulnerable to eavesdropping—for photo uploads.

In practice, this means that if someone is using one of these apps on an unsecured public Wi-Fi network, or on a network controlled by a snooper, the eavesdropper can see certain activity, like which accounts a person is viewing.

Some apps had issues with encryption for  various pieces of transmitted data. Happn sent names of common friends in the clear. Paktor did the same for people’s email addresses.

In some cases, the Google Android versions of certain apps had additional vulnerabilities compared to the Apple iOS versions. Paktor on Android, for instance, transmitted details, like people’s names, birthdates, GPS coordinates, and device types, unencrypted. (An interesting exception: the iOS version of Mamba connected to company servers strictly through HTTP, leaving all transmitted data open to snooping.)

In another part of the study, the researchers downloaded phone-compromising malware to see how it would interact with the apps. This is how they managed to do more invasive things, like obtain message and photo histories.

Android generally does a poorer job compared to iOS when it comes to protecting against these sorts of attacks, the researchers said. People can avoid these intrusions by being wary about the links they click and the software they download onto their phones. 

The researchers concluded their post with some tips about how people can protect themselves. “First, our universal advice is to avoid public Wi-Fi access points, especially those that are not protected by a password, use a VPN, and install a security solution on your smartphone that can detect malware,” the researchers wrote. “Secondly, do not specify your place of work, or any other information that could identify you.”

You can visit Kaspersky’s site to view a report card that describes how each of the apps fared during its tests. If you’re looking for love, know the risks and happy swiping—just hopefully not data-swiping.

Read More

Artificial IntelligenceCryptocurrencyMetaverseCybersecurityTech Forward