People turn to online dating for a variety of reasons, unknowingly making themselves vulnerable to cyberattacks and personal data loss. According to research from Kaspersky and B2B International, 48% users join for fun, 13% are looking for a fun night out, and others are looking for long-term relationships. The problem is, while dating app subscribers may be willing to share a direct job title with people viewing or matched with their profile (25% share their full name on their public profile and one in ten share their home address), hackers can also access that information and use it to glean more personal data, as well as access the user’s social media accounts, and even more, full superuser access.
In today’s cyber-aware software world, the makers of mobile dating apps have left their platforms especially vulnerable to attack. According to Kaspersky, several popular online dating apps are open to hacks of personal information other than the usual targets such as credit card numbers and financial details. After studying mobile online dating apps, Tinder, Bumble, and OkCupid being the top 3, researchers uncovered vulnerabilities ranging from unencrypted photo uploads to personal identification information and employment and education details.
The danger stems from factors including poor security and lack of encryption during data transmission, lack of security in token-based authorization processes, and weakness in several apps’ message history. In some cases, hackers could log into accounts and send messages to others as the account owner. For Android users, hackers were even able to break into the phone itself and become a superuser, giving them full access to dating app accounts and the ability to view messaging history and photos. (Even when credentials are encrypted, the decryption key is often easily extractable from the app itself.)
Social media friends you didn’t know you had
Several apps let other users know a subscriber’s workplace or school, and this information makes it easy to find social media accounts that reveal real names. In particular, apps that use Facebook accounts for data exchange with the server make it simple to find out the names and surnames of users from their Facebook profiles.
Dating apps are also vulnerable to man in the middle (MITM) attacks. For servers that use HTTPS, checking certificate authenticity can protect against MITM attacks—but half of the examined apps do not verify the authenticity of certificates.
The information you share isn’t always encrypted
Recently, Tinder’s transmission of pictures to and from the phone over unprotected HTTP has been called out by Tel Aviv app security firm Checkmarx. In response, Tinder says its desktop and mobile web platforms do encrypt profile images, and the company is now working on encrypting images on its app, but researchers have been able to pull information out of the data Tinder does encrypt.
As Erez Yalon of Checkmarx points out, “There’s really no excuse for using HTTP these days.”
How to protect yourself
Putting yourself out there through online dating it hard enough. While users may already be feeling vulnerable, their data doesn’t need to be. As dating platforms take steps to address their susceptibilities, here are a few suggestions from the experts for how to minimize the uncomfortable personal exposure these apps may cause.
- Avoid unprotected Wi-Fi networks and public Wi-Fi access points. Use a VPN.
- Install a security solution on your smartphone that can detect malware.
- Do not specify your place of work, or any other information that could identify you.
- Share information on a need-to-know basis only.
- Don’t add your social media accounts to your public profile in a dating app with your real name, place of work, etc.
- Never disclose your e-mail address