The way I hacked Tinder account utilizing Facebook’s profile gear and generated $6,250 in bounties

September 4, 2021 7:51 pm Published by Leave your thoughts

This is certainly being published employing the permission of facebook or myspace beneath accountable disclosure plan.

The weaknesses talked about within blog post were blocked fast with the manufacturing groups of Twitter and Tinder.

This article is focused on a merchant account takeover weakness I realized in Tinder’s program. By exploiting this, an opponent may have acquired use of the victim’s Tinder account, whom needs put the company’s contact number to join.

This could possibly are abused through a vulnerability in Facebook’s Account gear, which facebook or twitter has answered.

Both Tinder’s website and mobile phone purposes enable consumers to work with the company’s mobile data to sign in needed. And that sign on solution try furnished by levels set (fb).

Go Assistance Powered by Facebook’s Accountkit on Tinder

The person clicks about go with Phone Number on right after which they’re redirected to for login. When authentication is successful subsequently Account Kit moves the gain access to token to Tinder for go browsing.

Surprisingly, the Tinder API wasn’t inspecting the consumer ID throughout the token given by Account package.

This allowed the assailant to utilize some other app’s access token supplied by membership set taking during the real Tinder accounts of various other users.

Weakness Meaning

Membership gear was a product or service of Facebook that let’s anyone easily create and log on to some subscribed applications using simply their unique telephone numbers or email address without resorting to a password. Actually dependable, simple, and offers you an option about how precisely they need to sign up for apps.

Tinder is actually a location-based cellular app for looking and achieving others. It gives consumers to like or hate other users, thereafter go on to a chat if each party swiped suitable.

There was clearly a vulnerability in Account gear where an attacker may have acquired having access to any user’s profile package levels just by employing their number. After in, the attacker might have received ahold with the user’s levels equipment entry token found in her snacks (aks).

From then on, the assailant would use the entry token (aks) to log into the user’s Tinder profile making use of a susceptible API.

Just how our take advantage of worked step-by-step

Stage number 1

To begin with the attacker would sign in victim’s profile equipment membership by going into the victim’s number in “new_phone_number” in the API demand found below.

Please be aware that accounts package wasn’t confirming the mapping belonging to the telephone numbers their one-time password. The attacker could get into anyone’s phone number and simply sign in the victim’s profile equipment membership.

Then the attacker could copy the victim’s “aks” access token of Account Kit app from cookies.

The susceptible Profile Package API:

Move no. 2

Now the assailant simply replays the next inquire using the copied access keepsake “aks” of target inside Tinder API below.

They will be signed in to the victim’s Tinder levels. The attacker would subsequently basically have whole control over the victim’s profile. They might look over private chats, whole private information, and swipe different user’s profiles left or appropriate, among other things.

Insecure Tinder API:

Training video Proof Principle


Both the weaknesses were addressed by Tinder and Twitter easily. Facebook compensated me personally with US $5,000, and Tinder grant myself with $1,250.

I’m the founder of AppSecure, a specific cyber safety corporation with years of skill got and precise resources. We’ve been below to shield your business and important information from on the web and offline threats or vulnerabilities.

If this type of document is practical, tweet it.

Discover how to rule at no cost. freeCodeCamp’s open source curriculum keeps aided about 40,000 someone see tasks as manufacturers. Start

freeCodeCamp is a donor-supported tax-exempt 501(c)(3) nonprofit organization (U . S . government taxation recognition quantity: 82-0779546)

Our goal: to help people try to rule at no charge. We attempt by developing several thousand films, documents, and entertaining coding coaching – all freely available into community. Most people also provide several thousand freeCodeCamp analysis people around the globe.

Contributions to freeCodeCamp get toward our personal degree campaigns which helps cover hosts, facilities, and personnel.

Categorised in:

This post was written by rattan

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>