Skip to main content

Kaspersky Lab says popular dating apps vulnerable to three types of attack

Security researchers at Kaspersky Lab say that a number of popular dating apps are vulnerable to up to three types of attack, potentially revealing anything from user location to full identity and employer …

The first approach tested was to see whether data users had chosen to share in the app could be cross-referenced with social media to identify people. The most dangerous information to reveal, they found, was your job and education.

In Tinder, Happn and Bumble users can add information about their job and education. Using that information, we managed in 60% of cases to identify users’ pages on various social media, including Facebook and LinkedIn, as well as their full names and surnames.

Second was location-tracking. Any app that shows the distance between an attacker and a dating site member can be used to triangulate their location.

In theory, this would be tricky to do as you’d need to move around a lot while your target remained in one place, and the vague distances used by some services would mean many more measurements would be needed. But Kaspersky found a simple way around this.

The services themselves simplify the task: an attacker can remain in one place, while feeding fake coordinates to a service, each time receiving data about the distance to the profile owner.

Finally, they found that a number of services don’t encrypt all communications. Taking advantage of this fact would require a man-in-the-middle attack – where the bad guys create a fake version of a public WiFi hotspot and then search the traffic – but this is not entirely uncommon.

Badoo, for example, doesn’t use HTTPS for photos. By examining the photos viewed, it would be possible to work out which profiles were being viewed. Mamba was even worse, not using HTTPS at all, allowing all data to be captured, including login credentials.

The real-life risks from these weaknesses seem relatively low, but a couple of them are worthy of note. If you want a dating profile to remain anonymous, you probably want to be suitably vague about your work and educational achievements.

Similarly, it’s never a good idea to login to any sensitive service – be it a dating site or online banking – on a public hotspot unless you are 100% confident you know it’s the real deal. Switching off WiFi and connecting via mobile data is the safer approach.

Via Gizmodo


Check out 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear