Hacking into Tinder’s Premium Model

Sanskar Jethi
Jul 14, 2019 · 4 min read

In this blog, I’ll be talking about how we can bypass the tinder’s premium service and convert likes into matches through a vulnerability in their API.

Image for post
Image for post

Reason for this post:

So, I reported this bug to Tinder’s bug bounty team and they gave me the following response:

“We are aware of this behavior and we choose to not take any action for the same”.

Which meant either of these two things:

Whatever the case may be, the world needed to know! xD

The Good Stuff:

Tinder has a system of Likes and Matches.
When a person swipes right to you, you get a like and when swipe right back to him/her its a match.

But unless you are a premium subscriber, you can’t see the liker’s profile/photo. All you get is a blurred photo and the option to buy the premium service.

Image for post
Image for post

So, when I was reverse-engineering their API, I happen to find that, tinder blurs the image on the client-side and sends a complete image as a response.

https://api.gotinder.com/v2/fast-match/preview

So, the API requires a few request headers which can be obtained through an easy process.

Step 1: Get your Request Headers.

Login to your Tinder account in a browser, open the developer console and search for the following request.

Image for post
Image for post

Step 2: Make a Request to The Endpoint and Access the Photo

Image for post
Image for post

and save through the following process.

Image for post
Image for post

and voila! You have your desired image.

The only dynamic parameter is the X-Auth-Token which needs to be updated after every week or when the call fails.

We make a simple request and voila.

On further investigation, I found out that Tinder’s LIKE system follows a Queue or FIFO system, where to get the image of every person who likes you on Tinder, you have to match to the one present at the front of the queue, i.e. the response image which was received.

Now you search through your recommendations and just swipe right :)

Some BONUS Content

And tinder’s recommendation system follows a circular queue system, i.e. a recommendation rejected by you is likely to show up again as your recommendation until a new image is added in the queue which happens once in 24 hours or when you change your physical location.

Also, tinder applies a profile boost when you travel to a different state/country and basically fetches you double the number of likes that you are likely to get.

Now, this endpoint fetches you the image and user id of your recent suggestion.

https://api.gotinder.com/user/recs

fetches you the following response

{“status”: 200,“results”: [{“distance_mi”: 2,“common_like_count”: 0,“common_friend_count”: 0,“common_likes”: [],“common_friends”: [],“_id”: “518d666a2a00df0e490000b9”,“bio”: “”,“birth_date”: “1986–05–17T00:00:00.000Z”,“gender”: 1,“name”: “Elen”,“ping_time”: “2014–04–08T11:59:18.494Z”,“photos”: [{“id”: “fea4f480–7ce0–4143-a310-a03c2b2cdbc6”,“main”: true,“crop”: “source”,“fileName”: “fea4f480–7ce0–4143-a310-a03c2b2cdbc6.jpg”,“extension”: “jpg”,“processedFiles”: [{“width”: 640,“height”: 640,“url”: “http://images.gotinder.com/518d666a2a00df0e490000b9/640x640_fea4f480-7ce0-4143-a310-a03c2b2cdbc6.jpg"}}

And using some OpenCV magic (to check whether the photos match) and some more requests, you can automate your searching process and make your lives much simpler.

All you have to do is make GET requests using the same request headers as above.

To like the matched photo:

https://api.gotinder.com/like/{id}

And to reject the rest:

https://api.gotinder.com/pass/{id}

If the above is too complex for you, you can just swipe your way through.

I don’t have the time to code program for this, but if someone wants to create one, I’ll happy to collaborate.

Happy Matching!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store