Category Archives: mitm

Are you a Tinder user? Watch out, someone could spy on you

Experts at security firm Checkmarx discovered two security vulnerabilities in the Tinder mobile apps that could be exploited to spy on users.

Security experts at Checkmarx discovered two security vulnerabilities in the Tinder Android and iOS dating applications that could be exploited by an attacker on the same wi-fi network as a target to spy on users and modify their content.

Attackers can view a target user’s Tinder profile, see the profile images they view and determine the actions they take.

“The vulnerabilities, found in both the app’s Android and iOS versions, allow an attacker using the same network as the user to monitor the user’s every move on the app. It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or other type of malicious content (as demonstrated in the research).” reads the analysis published by Checkmarx.

“While no credential theft and no immediate financial impact are involved in this process, an attacker targeting a vulnerable user can blackmail the victim, threatening to expose highly private information from the user’s Tinder profile and actions in the app.”

An attacker can conduct many other malicious activities, including intercepting traffic and launching DNS poisoning attacks.

The first issue is related to the fact that both the iOS and Android Tinder apps download profile pictures via insecure HTTP connections, this means that an attacker can access the traffic to determine which profiles are viewed by a Tinder user.

Tinder data leak

SOCIAL NETWORKS / TINDER

An attacker could also modify traffic for example to swap images.

“Attackers can easily discover what device is viewing which profiles,” continues the analysis. “Furthermore, if the user stays online long enough, or if the app initializes while on the vulnerable network, the attacker can identify and explore the user’s profile.” “Profile images that the victim sees can be swapped, rogue advertising can be placed and malicious content can be injected,”

Obviously, such kind of issue could be mitigated with the adoption of HTTPS.

Checkmarx also discovered another issue related to the use of HTTPS, the flaw was called “Predictable HTTPS Response Size”.

“By carefully analyzing the traffic coming from the client to the API server and correlating with the HTTP image requests traffic, it is possible for an attacker to determine not only which image the user is seeing on Tinder, but also which action did the user take.” states Checkmarx. “This is done by checking the API server’s encrypted response payload size to determine the action,” 

An attacker that is in the position of analyzing the traffic can discover the user’s interest in a specific profile by detecting a 278-byte encrypted response that is delivered by the API server when he swipes left on a profile picture. Swiping right, the Tinder user likes a particular profile, in this case, the response generated is composed of 374 bytes.

The researchers also noticed that Tinder member pictures are downloaded to the app via HTTP connection, this makes possible for an attacker to view the profile images of those users being swiped left and right.

In order to mitigate this issue, researchers suggest padding requests, if the responses were padded to a fixed size, it would be impossible to discriminate the user’s action.

Checkmarx disclosed both vulnerabilities to Tinder.

Pierluigi Paganini

(Security Affairs – Tinder, privacy)

The post Are you a Tinder user? Watch out, someone could spy on you appeared first on Security Affairs.

Security Affairs: Are you a Tinder user? Watch out, someone could spy on you

Experts at security firm Checkmarx discovered two security vulnerabilities in the Tinder mobile apps that could be exploited to spy on users.

Security experts at Checkmarx discovered two security vulnerabilities in the Tinder Android and iOS dating applications that could be exploited by an attacker on the same wi-fi network as a target to spy on users and modify their content.

Attackers can view a target user’s Tinder profile, see the profile images they view and determine the actions they take.

“The vulnerabilities, found in both the app’s Android and iOS versions, allow an attacker using the same network as the user to monitor the user’s every move on the app. It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or other type of malicious content (as demonstrated in the research).” reads the analysis published by Checkmarx.

“While no credential theft and no immediate financial impact are involved in this process, an attacker targeting a vulnerable user can blackmail the victim, threatening to expose highly private information from the user’s Tinder profile and actions in the app.”

An attacker can conduct many other malicious activities, including intercepting traffic and launching DNS poisoning attacks.

The first issue is related to the fact that both the iOS and Android Tinder apps download profile pictures via insecure HTTP connections, this means that an attacker can access the traffic to determine which profiles are viewed by a Tinder user.

Tinder data leak

SOCIAL NETWORKS / TINDER

An attacker could also modify traffic for example to swap images.

“Attackers can easily discover what device is viewing which profiles,” continues the analysis. “Furthermore, if the user stays online long enough, or if the app initializes while on the vulnerable network, the attacker can identify and explore the user’s profile.” “Profile images that the victim sees can be swapped, rogue advertising can be placed and malicious content can be injected,”

Obviously, such kind of issue could be mitigated with the adoption of HTTPS.

Checkmarx also discovered another issue related to the use of HTTPS, the flaw was called “Predictable HTTPS Response Size”.

“By carefully analyzing the traffic coming from the client to the API server and correlating with the HTTP image requests traffic, it is possible for an attacker to determine not only which image the user is seeing on Tinder, but also which action did the user take.” states Checkmarx. “This is done by checking the API server’s encrypted response payload size to determine the action,” 

An attacker that is in the position of analyzing the traffic can discover the user’s interest in a specific profile by detecting a 278-byte encrypted response that is delivered by the API server when he swipes left on a profile picture. Swiping right, the Tinder user likes a particular profile, in this case, the response generated is composed of 374 bytes.

The researchers also noticed that Tinder member pictures are downloaded to the app via HTTP connection, this makes possible for an attacker to view the profile images of those users being swiped left and right.

In order to mitigate this issue, researchers suggest padding requests, if the responses were padded to a fixed size, it would be impossible to discriminate the user’s action.

Checkmarx disclosed both vulnerabilities to Tinder.

Pierluigi Paganini

(Security Affairs – Tinder, privacy)

The post Are you a Tinder user? Watch out, someone could spy on you appeared first on Security Affairs.



Security Affairs

CoffeeMiner PoC Targets Public Wi-Fi Networks to Mine for Cryptocurrency

A recently published proof-of-concept notes that it could be possible for attackers to hijack coffee shop Wi-Fi networks and get connected users to mine cryptocurrencies, according to software developer Arnau Code.

A couple of weeks back, an incident involving a Starbucks coffee shop having their customers mining for cryptocurrency – it seems the internet service provider that offered Wi-Fi connectivity was at fault – so it seems attackers physically in the coffee shop could hijack the network. Arnau pulled off the proof-of-concept by performing a man-in-the-middle attack that involved redirecting all customers through his proxy by performing an ARP-spoofing attack, then injecting a single line of code into visited HTML pages that calls the cryptocurrency miner in the victim’s browser.

“The objective is to have a script that performs autonomous attack on the WiFi network,” wrote Arnau. “It’s what we have called CoffeeMiner, as it’s a kind of attack that can be performed in the cafes WiFi networks”

Although the attack requires the cybercriminal to actually be present in the coffee shop and have a strong enough Wi-Fi antenna so that it can hijack traffic from as many clients as possible, the attack does seem plausible, provided the targeted router or switch lacks built-in ARP-spoofing protection.

Leveraging the same CoinHive cryptocurrency mining JavaScript used by The Pirated Bay or some rogue Google Chrome extensions, Arnau does point out that, for the mining to yield positive results, the victim needs to visit the affected website for more than 40 seconds per session.

“CoinHive miner makes sense when user stays in a websit for mid-long term sessions. So, for example, for a website where the users average session is around 40 seconds, it doesn’t make much sense,”
reads the blog post. “In our case, as we will inject the crypto miner in each one of the HTML pages that victims request, will have long term sessions to calculate hashes to mine Monero.”

The developer suggests that adding more automation to his proof-of-concept could increase its effectivness, although the project has been tagged “for academic purposes only”.