Israeli security firm Checkmarx has found that it's possible to reconstruct someone's Tinder session, including access to photos, by capturing traffic if you're connected to the same Wi-Fi network. The issue affects both the iOS and Android version of the app with a proof-of-concept app, dubbed TinderDrift, created to highlight how the flaw can be used.
Checkmarx says that while user credentials aren't an issue, it's possible that images and swipes could be used to blackmail a user. They add that it's also possible for an attacker to inject inappropriate content, rogue advertising or other type of malicious content into a Tinder session.
This is a pretty terrible oversight on the part of Tinder. Dating preferences are highly sensitive and many people use apps like Tinder to meet people, who because of their preferences, might leave them open to harassment.
Tinder responded to The Verge about this saying "unencrypted photos are profile pictures, and Tinder is a free global platform, so the pictures are 'available to anyone swiping on the app' anyway".
Apparently, they don't see the ability to inject unwanted data into a session as a big deal.
I'm guessing Tinder isn't the only app that doesn't properly protect traffic but as its been used to create 20 billion matches right across the world, it's one of the most high profile. And it makes me wonder how many more apps are out there that aren't looking after our data as well as they could.