Launched in 2012, Tinder is a highly popular mobile "swiping" dating app. It is used worldwide, counting 1.6 billions swipes a day across 196 countries.
Researchers discovered that the Tinder app lacks basic HTTPS encryption for profile pictures, allowing any stranger using the same open Wi-Fi network — for instance, the same public hotspot — to see what profiles the user is viewing as well as explore his profile.
An attacker could also take control over the profile pictures a user sees and swap them for inappropriate content, rogue advertising or other type of malicious content.
"We can simulate exactly what the user sees on his or her screen. You know everything: What they're doing, what their sexual preferences are, a lot of information," Erez Yalon, Checkmarx's manager of application security research, told WIRED.
The researchers pointed out that the vulnerabilities were found in both the Android and iOS versions of the app.
A Tinder spokesperson told WIRED in a statement that "like every other technology company, we are constantly improving our defenses in the battle against malicious hackers".
The recommendation for users is to avoid public Wi-Fi networks wherever possible.