I can't think of any other reason to hack into a Tinder account. Oh well... another hour has passed and another security hole has been found.
App developers should take a long, hard look at how they use Facebook's Account Kit for identifying users – after a flaw in the system, and Tinder's use of the toolkit, left shag-seekers open to account hijacking. When a horny netizen logs into their Tinder profile using their phone number as a username, the hookup app relies …
This post has been deleted by its author
If all you need was a phone number, then there is no other information to tie a number to an account.
So duh, give any phone number and you're in. Yup, sounds obvious.
The point is, when cooking up a security mechanism, always check that simply replacing one element does not entail logging into another account. All elements must be present to log into the specific account they point to - if one is absent or wrong, you shouldn't be able to log into anything at all.
Those bug bounties really are taking the piss aren't they ?
USD6,250 for information that would have cost them at least ten times to acquire if they'd even thought to look.
Once he'd explained the problem to them I wonder what was the cost of the various meetings which determined whether :
- Anand Prakash knew what he was talking about ;
- what the legal implications were;
- what the comms spin should be on it ?
A lot more than what they paid him I'm sure.
Biting the hand that feeds IT © 1998–2019