Swipe Left on Tinder’s Security — Sending More Than Just GIFs and Crashing Matches’ Phones Isn’t Hot
Tinder’s private API has a history of being vulnerable, allowing some interesting hacks to surface, such as allowing users to calculate other user’s precise locations and making men unknowingly flirt with each other. Tinder just released an update today that gives you the ability to send GIFs to your matches via GIPHY. Whenever a new app or update comes out, I always play around with it and test its limits, looking for common vulnerabilities. After a few minutes of playing around with Tinder’s new GIF feature, I was able to find a couple exploits.
Crashing your match’s phone
Update: Tinder appears to have fixed this exploit.
The server now returns error 500 if the width or height is larger than 1000, I believe.
Also, any past GIFs that were sent with the large size attributes that were crashing phones no longer crash the phone. Those images are now replaced with just the link to the GIF.
I wrote an article when Peach came out that included an exploit that crashes users’ phones. Basically, Peach’s server didn’t validate the size of images in requests, so one could modify the request and make the image ridiculously large, and when the client loaded it, it would run out of memory and crash. I noticed that the request when sending a GIF on Tinder included width and height parameters for the image as well, so I decided to repeat that logic with the assumption that Tinder’s server doesn’t validate the size either, and I was correct.
Sample URL when sending a GIF on Tinder:
https://media.giphy.com//media//M0rraH3569w7m//giphy.gif?width=400&height=270
If you intercept the request when sending a GIF and modify the URL, changing the width and height to a really large number, the phone of the user will instantly crash when they tap on your message.
Sample modified GIF URL:
https://media.giphy.com//media//M0rraH3569w7m//giphy.gif?width=100000000000000000000000000000000000000000000000000000&height=100000000000000000000000000000000000000000000000000000
There’s no point in sending this insanely “large” GIF to your match other than to be a malicious troll, but it’s still possible. Once you send it, you’re matched together forever. Neither you nor your match can unmatch each other because the app crashes when you try to view the message/profile.
Sending any image you want to your match (not just GIFs)
Just because Tinder lets you send GIFs in chat doesn’t mean that’s the only thing you can send. If you believe hard enough, any image can become a GIF, and Tinder welcomes your imagination. Tinder lets you search for GIFs in its app which is powered by GIPHY’s API. Since Tinder’s server accepts any GIPHY GIF, you can upload a GIF to GIPHY, simulate the request for sending a new message, and include the link to the GIF you just uploaded, instead of being restricted to sending only GIFs you can search in Tinder. It may seem like this opens up more creativity for users to showcase their personality to their matches via imagery, but this actually isn’t good at all, since trolls and creeps can abuse it and send inappropriate images.
All you have to do to send “any” image you want to your match is:
- Convert the image into a GIF
- Upload the GIF to GIPHY
- Send a network request to Tinder’s private API to send a new message which includes the link to the uploaded GIF
Sample API request:
API URL (POST request):https://api.gotinder.com/user/matches/{match_id}Body:{
"type": "gif",
"message": "https:\/\/media.giphy.com\/media\/M0rraH3569w7m\/giphy.gif?width=360&height=360"
}
I asked one of my matches if I could test something, and she consented. Her immediate reaction was a mix between disbelief and confusion. She wondered how it was possible for me to send an image that’s not available to send through Tinder’s GIF search, let alone, her own profile picture. After I explained, she thought it was interesting and was okay with it. But imagine if I was a creep and sent something else? Yikes.
Hopefully Tinder fixes these issues quickly, and no one abuses them. I write articles such as this one to bring light to security vulnerabilities in popular and upcoming apps. I previously wrote about trending apps amongst college students that were leaking private data. Security and privacy should be taken very seriously, and it’s up to both the user and the developer to protect themselves. Users should always double check which information and permissions they are granting to apps, and developers should always thoroughly QA test new product features.
