The bug discovered by Prakash allowed an attacker to gain access to a Tinder account. The user was more vulnerable if he or she used mobile number to log in to his or her account
Ethical hacker Anand Prakash who has a proven track record of winning bounties worth crores by hunting bugs in apps and social networking sites was at work again. He reported a vulnerability to Tinder and Facebook and was rewarded with monetary awards worth Rs 4 lakh.
The bug discovered by Prakash allowed an attacker to gain access to a Tinder account. The user was more vulnerable if he or she used his mobile number to log in to his or her account.
Tinder allows its users to log into the mobile application as well as the web app through their mobile numbers. For that, the company uses a tool named Account Kit which is developed by Facebook. When a member of Tinder clicks on login, the user is redirected to Account Kit and if the authentication is successful, a user gets the access token to Tinder account.
Prakash found a vulnerability on part of Tinder API which was not checking the client ID provided by Account Kit, reported BGR India. This flaw was allowing an attacker gain access to any user’s Account Kit account just by using their phone number.
That meant, if an attacker could access the token of Account Kit from stored cookies, the attacker could use that to log into a user’s Tinder account.
Prakash reported the bug to both the companies and was rewarded with USD 5,000 (Rs 3.25 lakh) by Facebook and USD 1,250 (Rs 81,350) by Tinder.Engineers from both the companies immediately plugged the vulnerability.