Report Key Findings
Both Tinder’s web and mobile applications allow users to use their mobile phone numbers to log in to the service, and this login service is provided by Account Kit (Facebook).
Login Service Powered by Facebook’s Accountkit on Tinder
The user clicks on Login with Phone Number on tinder.com and then they are redirected to Accountkit.com for login. If the authentication is successful then Account Kit passes the access token to Tinder for login.
Interestingly, the Tinder API was not checking the client ID on the token provided by Account Kit.
This enabled the attacker to use any other app’s access token provided by Account Kit to take over the real Tinder accounts of other users.
About PingSafe Security
PingSafe Security is the industry-leading agentless Cloud Security Platform that identifies, prioritizes, and remediates risks. PingSafe connects to your environment in minutes with patent-pending SideScanning technology to provide complete coverage across vulnerabilities, malware, misconfigurations, lateral movement risks, weak and leaked passwords, and overly permissive identities. Founded in 2019, PingSafe is trusted by hundreds of customers globally, including Databricks, Autodesk, NCR, Gannett, and Robinhood. Connect your first account in minutes: https://pingsage.com or take the free cloud risk assessment.
“PingSafe is an excellent solution for dynamic and real-time monitoring of all the multi-cloud workloads. The flexibility of configuration and the ease of maintenance is a big plus.”
Global CISO, Dr. Reddy’s