Once in, the attacker could have gotten ahold of the user’s Account Kit access token present in their cookies (aks).Īfter that, the attacker could use the access token (aks) to log into the user’s Tinder account using a vulnerable API. There was a vulnerability in Account Kit through which an attacker could have gained access to any user’s Account Kit account just by using their phone number. It allows users to like or dislike other users, and then proceed to a chat if both parties swiped right. Tinder is a location-based mobile app for searching and meeting new people. It is reliable, easy to use, and gives the user a choice about how they want to sign up for apps. Vulnerability DescriptionĪccount Kit is a product of Facebook that lets people quickly register for and log in to some registered apps by using just their phone numbers or email addresses without needing a password. This enabled the attacker to use any other app’s access token provided by Account Kit to take over the real Tinder accounts of other users. Interestingly, the Tinder API was not checking the client ID on the token provided by Account Kit. If the authentication is successful then Account Kit passes the access token to Tinder for login. The user clicks on Login with Phone Number on and then they are redirected to for login. Login Service Powered by Facebook’s Accountkit on Tinder And this login service is provided by Account Kit (Facebook). This could have been exploited through a vulnerability in Facebook’s Account Kit, which Facebook has recently addressed.īoth Tinder’s web and mobile applications allow users to use their mobile phone numbers to log into the service.
By exploiting this, an attacker could have gained access to the victim’s Tinder account, who must have used their phone number to log in.
This post is about an account takeover vulnerability I discovered in Tinder’s application. The vulnerabilities mentioned in this blog post were plugged quickly by the engineering teams of Facebook and Tinder. This is being published with the permission of Facebook under the responsible disclosure policy.
By AppSecure How I hacked Tinder accounts using Facebook’s Account Kit and earned $6,250 in bounties
0 kommentar(er)
