A flaw in the Tinder app's log-in process, along with a flaw in Facebook's Account Kit API meant pretty much anyone could log into someone's Tinder account, just by knowing their phone number. It was a pretty big security issue. And, although it's now been fixed, it points to a lapse on the part of both Tinder and Facebook.
The vulnerability was detected by AppSecure and has been fixed by both Tinder and Facebook. And while you'd think the bounty for fixing this would be quite reasonable, the security researcher received just $5000 from Tinder and $1250 from Facebook.
One wonders what it would have been worth to someone on the dark side.
This continues Tinder's mixed record when it comes to security. There have been incidents in the past where they failed to encrypt images and when users' location were exposed publicly for many months.
AppSecure said the vulnerability was the result poor validation. When a user logs into Tinder, they receive an access token from the Account Kit service operated by Facebook. But there was no check in place to ensure the token matched the user's ID. So, anyone with a valid token and someone's phone number (assuming that's what they used for their username) could access someone else's account.
The good news is the bug has been fixed and things are safe. But with a history of security issues, I'd be cautious of using Tinder.