Security researchers at Kaspersky Lab say that a number of popular dating apps are vulnerable to up to three types of attack, potentially revealing anything from user location to full identity and employer …
The first approach tested was to see whether data users had chosen to share in the app could be cross-referenced with social media to identify people. The most dangerous information to reveal, they found, was your job and education.
Second was location-tracking. Any app that shows the distance between an attacker and a dating site member can be used to triangulate their location.
In theory, this would be tricky to do as you’d need to move around a lot while your target remained in one place, and the vague distances used by some services would mean many more measurements would be needed. But Kaspersky found a simple way around this.
Finally, they found that a number of services don’t encrypt all communications. Taking advantage of this fact would require a man-in-the-middle attack – where the bad guys create a fake version of a public WiFi hotspot and then search the traffic – but this is not entirely uncommon.
Badoo, for example, doesn’t use HTTPS for photos. By examining the photos viewed, it would be possible to work out which profiles were being viewed. Mamba was even worse, not using HTTPS at all, allowing all data to be captured, including login credentials.
The real-life risks from these weaknesses seem relatively low, but a couple of them are worthy of note. If you want a dating profile to remain anonymous, you probably want to be suitably vague about your work and educational achievements.
Similarly, it’s never a good idea to login to any sensitive service – be it a dating site or online banking – on a public hotspot unless you are 100% confident you know it’s the real deal. Switching off WiFi and connecting via mobile data is the safer approach.
Via Gizmodo