How I hacked Tinder accounts using Facebook’s accounts equipment and gained $6,250 in bounties

This is exactly being circulated aided by the license of Twitter underneath the liable disclosure approach.

The weaknesses discussed with this blog post had been connected rapidly with the manufacturing teams of fb and Tinder.

This document is mostly about an account takeover weakness I discovered in Tinder’s software. By exploiting this, an opponent could have gained use of the victim’s Tinder membership, that necessity employed their particular number to visit.

This can have now been used through a susceptability in Facebook’s accounts package, which facebook or myspace has now answered.

Both Tinder’s internet and mobile purposes enable people to utilize their own cellular phone rates to sign in this service membership. And also this login services was offered by membership package (facebook or myspace).

Login Program From Facebook’s Accountkit on Tinder

The person clicks about go with Phone Number on and simply rerouted to for login. In the event that verification is prosperous then Account gear moves the availability token to Tinder for connect to the internet.

Interestingly, the Tinder API was not examining your client ID regarding token furnished by Account package.

This permitted the opponent to work with all other app’s access token supplied by profile Kit to take around true Tinder records of various other individuals.

Susceptability Information

Membership gear are an item of fb that lets folks rapidly sign up for and log on to some authorized apps simply by using merely his or her telephone numbers or email addresses without resorting to a code. It is actually effective, user-friendly and uncomplicated, and gives an individual a decision about they will sign up for apps.

Tinder try a location-based mobile app for researching and meeting new-people. It provides people to enjoy or detest additional people, after which check out a chat if each party swiped appropriate.

There had been a vulnerability in levels system by which an opponent might have gained access to any user’s levels system accounts through employing their telephone number. After in, the opponent could have obtained ahold regarding the user’s profile set access token contained in his or her cookies (aks).

Then, the assailant can use the access token (aks) to log into the user’s Tinder membership making use of a susceptible API.

Exactly how your take advantage of proved helpful step-by-step

Run number 1

Initial the attacker would sign in victim’s membership gear profile by entering the victim’s phone number in “new_phone_number” through the API inquire indicated below.

You should be aware that profile Kit wasn’t verifying the mapping belonging to the cell phone numbers making use of one-time code. The attacker could key in anyone’s number and then only log into the victim’s Account equipment profile.

Then the attacker could copy the victim’s “aks” access token of Account Kit app from cookies.

The vulnerable Profile System API:

Step # 2

These days the opponent merely replays the below ask with the duplicated connection keepsake “aks” of target into the Tinder API below.

Are going to be recorded into victim’s Tinder account. The assailant would after that generally have full control of the victim’s account. They can see exclusive shows, full personal information, and swipe additional user’s kinds put or best, among other things.

Prone Tinder API:

Movie Proof Idea


The weaknesses are fixed by Tinder and Facebook quickly. Facebook or myspace compensated me with US $5,000, and Tinder granted me with $1,250.

I’m the founder of AppSecure, a specialized cyber safeguards providers with years of skill gotten and meticulous experience. We have been in this article to shield your organization and crucial information from on the web real world hazards or weaknesses.

If the article got useful, tweet it.

Figure out how to rule free-of-charge. freeCodeCamp’s available supply course features assisted above 40,000 group receive employment as developers. Begin

freeCodeCamp is a donor-supported tax-exempt 501(c)(3) not-for-profit firm (United States national Tax identity wide variety: 82-0779546)

Our personal mission: to help individuals figure out how to rule free of charge. You accomplish this by generating 1000s of clips, information, and interactional coding instructions – all free within the common. You also provide a great deal of freeCodeCamp research associations worldwide.

Contributions to freeCodeCamp get toward all of our degree projects that really help shell out money for servers, business, and associate.