Tinder Subdomain Error Leaves Consumers Vulnerable


A subdomain error may have left millions of consumers vulnerable to attacks on websites like Tinder, Shopify, Imgur and Western Union.

White hat hackers found a cross-site scripting flaw at go.tinder.com – a vulnerability that would have enabled malicious pieces of script to be embedded into the website by hackers.

Such scripts can steal the personal data of users and make their accounts susceptible to hijacking.

The security flaw was part of the branch.io internet toolkit, which is widely used. VPNMentor claims that over 600 million internet users were at risk in total.

White hat hacker Ariel Hochstadt explains: “Immediately after finding these vulnerabilities, we contacted Tinder via their responsible disclosure program and started working with them.

“We learned that the vulnerable endpoint isn’t owned by Tinder, but by branch.io, an attribution platform used by many big corporations around the globe.”

Hochstadt and co. also reported the error to branch.io, who were reportedly able to patch it. They say that they received no indication that any personal data was exploited.

Online dating sites putting data at risk is often seen as being particularly egregious, given that they are handling sensitive information such as sexual orientation.

Grindr came under fire in 2018 for sending HIV data to third parties, for example. It has also faced criticism for failing to protect location information.

Read more here.