App developers should take a long, hard look at how they use Facebook’s Account Kit for identifying users – after a flaw in the system, and Tinder’s use of the toolkit, left shag-seekers open to account hijacking.
When a horny netizen logs into their Tinder profile using their phone number as a username, the hookup app relies on the Facebook-built AccountKit.com to check the person is legit owner of that account.
Facebook’s system texts a confirmation code to the punter, they receive it on their phone, and type the code into Account Kit’s website. Account Kit verifies the code is correct, and if it is, issues Tinder an authorization token, allowing the login attempt to complete.
It’s a simple, easy, and supposedly secure password-less system: your Tinder account is linked to your phone number, and as long as you can receive texts to that number, you can log into your Tinder account.
However, Appsecure founder Anand Prakash discovered Account Kit didn’t check whether the confirmation code was correct when the toolkit’s software interface – its API – was used in a particular way. Supplying a phone number as a “new_phone_number” parameter in an API call over HTTP skipped the verification code check, and the kit returned a valid “aks” authorization token.
Thus, you could supply anyone’s phone number to Account Kit, and it would return a legit “aks” access token as a cookie in the API’s HTTP response. That’s not great.
Prepare for trouble, and make it double
Now to Tinder. The app’s developers forgot to check the client ID number in the login token from Account Kit, meaning it would accept the aforementioned “aks” cookie as a legit token. Thus it was possible to create an authorization token belonging to a stranger from Account Kit, and then send it to Tinder’s app to log in as that person.
All you’d need is a victim’s phone number, and bam, you’re in their Tinder profile, reading their saucy messages between hookups or discovering how much of an unloved sad sack they were, and setting up dates.
“He will be logged in to the victim’s Tinder account,” explained Prakash earlier this week, apparently assuming only guys would be interested in this kind of caper. Pssh, as if.
“The attacker basically has full control over the victim’s account now — he can read private chats, full personal information, swipe other user profiles left or right, etc.”
Prakash reported the flaws to Facebook and Tinder, and went public with his findings after the bugs were ironed out out of the backend systems and app. Facebook paid out $5,000 in bug bounties, with Tinder kicking in an extra $1,250.
Thankfully, it doesn’t appear the holes were exploited in the wild. Hopefully this episode will encourage some programmers double check they’re not making the same blunders in their source code.