The bug discovered by Prakash allowed an attacker to gain access to a Tinder account. The user was more vulnerable if he or she used mobile number to log in to his or her account
Ethical hacker Anand Prakash who has a proven track record of winning bounties worth crores by hunting bugs in apps and social networking sites was at work again. He reported a vulnerability to Tinder and Facebook and was rewarded with monetary awards worth Rs 4 lakh.
The bug discovered by Prakash allowed an attacker to gain access to a Tinder account. The user was more vulnerable if he or she used his mobile number to log in to his or her account.
Tinder allows its users to log into the mobile application as well as the web app through their mobile numbers. For that, the company uses a tool named Account Kit which is developed by Facebook. When a member of Tinder clicks on login, the user is redirected to Account Kit and if the authentication is successful, a user gets the access token to Tinder account.
Prakash found a vulnerability on part of Tinder API which was not checking the client ID provided by Account Kit, reported BGR India. This flaw was allowing an attacker gain access to any user’s Account Kit account just by using their phone number.
That meant, if an attacker could access the token of Account Kit from stored cookies, the attacker could use that to log into a user’s Tinder account.
Prakash reported the bug to both the companies and was rewarded with USD 5,000 (Rs 3.25 lakh) by Facebook and USD 1,250 (Rs 81,350) by Tinder.Engineers from both the companies immediately plugged the vulnerability.Get access to India's fastest growing financial subscriptions service Moneycontrol Pro for as little as Rs 599 for first year. Use the code "GETPRO". Moneycontrol Pro offers you all the information you need for wealth creation including actionable investment ideas, independent research and insights & analysis For more information, check out the Moneycontrol website or mobile app.