back to article Hey, you. App dev. You like secure software? Let's learn from Tinder, Facebook's blunders

App developers should take a long, hard look at how they use Facebook's Account Kit for identifying users – after a flaw in the system, and Tinder's use of the toolkit, left shag-seekers open to account hijacking. When a horny netizen logs into their Tinder profile using their phone number as a username, the hookup app relies …

  1. This post has been deleted by its author

    1. Mark 85 Silver badge

      Re: Blackmail?

      I can't think of any other reason to hack into a Tinder account. Oh well... another hour has passed and another security hole has been found.

  2. Pascal Monett Silver badge

    Seems to me the initial premise was flawed

    If all you need was a phone number, then there is no other information to tie a number to an account.

    So duh, give any phone number and you're in. Yup, sounds obvious.

    Ah, hindsight.

    The point is, when cooking up a security mechanism, always check that simply replacing one element does not entail logging into another account. All elements must be present to log into the specific account they point to - if one is absent or wrong, you shouldn't be able to log into anything at all.

    1. Brangdon

      Re: Seems to me the initial premise was flawed

      It was supposed to be not enough to have a phone number. You also had to be able to read texts sent to that number.

  3. Dr Who

    Inevitable

    Tinder plugs hole

  4. Anonymous Coward
    Anonymous Coward

    'All you'd need is a victim's phone number, and bam'

    Why does Tinder allow a 3rd Party app this type of open-access anyway....

    Those bug bounties for holes with such sweeping wide access are paltry...

  5. Cuddles Silver badge

    Forgot?

    "The app's developers forgot to check the client ID number in the login token"

    They didn't check that login was actually valid for the person trying to log in. That's not "forgot", that's "fundamentally failed at the sole purpose of a login system".

  6. 2much2young

    Those bug bounties really are taking the piss aren't they ?

    USD6,250 for information that would have cost them at least ten times to acquire if they'd even thought to look.

    Once he'd explained the problem to them I wonder what was the cost of the various meetings which determined whether :

    - Anand Prakash knew what he was talking about ;

    - what the legal implications were;

    - what the comms spin should be on it ?

    A lot more than what they paid him I'm sure.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019