Researcher Exposes Security Flaws In Chinese Rival To Tinder
A dating app dubbed the Chinese clone of Tinder has been outed by a researcher for a number of security flaws.
This week, the founder & CEO of crowdsourced testing service Pay4Bugs, Larry Salibra, reported that Chinese dating app Tantan was failing to use encryption software, and was endangering the safety of its users and their personal information.
Salibra reported that on the surface, the iOS app appeared smoother and more refined than its American influencer, however a closer look uncovered some concerning issues.
After creating an account on the app, Salibra found that Tantan’s developers had not switched off their debug messages, and was able to access his own unencrypted information as it is passed from the app and through its server.
He wrote: “I could see the password I had just entered, my phone number and all the people I was being matched with. And if I could read it, that means any number of other people could as well.”
Another problem found during the investigation was that upon joining, users are not only blindly offering their own readable sensitive data to the web, but could potentially sell out others in their contact list.
Upon joining, Tantan asks users to share their contacts.
If access is granted, the information would be sent through the app’s unencrypted server, making the details available to anyone who might wish to access them.
Similar issues are also evident in Tantan’s location technology.
In a Tinder-style fashion, the app requests access to each user’s location information, in order to match them with people nearby.
Problematically, Tantan sends this information to its server up to several times a minute, transferring the fully accessible information multiple times.
Salibra first noticed the app’s lack of encryption eight months ago, yet after numerous app updates, Tantan still showed no signs of changing its security procedures.
However, since publishing the information, Tantan CEO and co-founder Yu Wang has made contact with Salibra to acknowledge the issues raised, and ensure they are working on a fix.
In an email, Wang outlined the app’s security problems, saying that the company is now working on fixing its lack of HTTPS/SSL and turning off debugging.
He also aims to clarify a few points made by Salibra in the initial report, including why the sensitive data of its users is not encrypted, saying that the information given is publicly available on the app anyway.
He said: “Due to the nature of the app, users fill in profile information on Tantan to make them available publicly for all other users.
“Profile information “exposed” through the API are available through the app anyway, especially since you need to be on the same network and thus close by to “listen in”.”
Wang also explains that contact information is in fact encrypted using a “one way hash function”, meaning that any contact list information cannot be accessed by others.
He describes the risk to Tantan’s user data as “radically different from a full database breach like the one Ashley Madison had.”
Read Salibra’s full blog post here, and read Tantan CEO’s response here.