A flaw in the popular location-based dating application Tinder that would allow an attacker to view users’ personal information went unaddressed for weeks, despite the company’s initial claims that it solved the problem within hours, Quartz reported. The company attributed the error to a lapse in security during development and dismissed it as minor. However, some have suggested the application’s API continues to expose more information than it should.
According to Quartz, the flaw in Tinder’s API allowed users to access more information about other users than they should have been able to through the use of a simple hack. The information was not visible in the app, but files downloaded to users’ phones included sensitive data about other recommended users such as their most recent location while using the app and their Facebook ID.
Tinder gathers its users’ locations in order to match people in geographic proximity. CEO Sean Rad told Quartz that it does not use the most precise location data to preserve battery life. Rad also downplayed the issue by noting that the flaw was only active for a few hours, making it minor enough as to not even warrant disclosure.
A follow-up article featuring emails from security researcher Michael Soares suggested, however, that the flaw had been disclosed to the company twice, the first time as early as two weeks before it was patched. Tinder told Soares it had patched the issue on July 15, but the same problem was discovered by another researcher on July 21. The company attributed the recurrence to the launch of its Android app. According to Quartz, the API still shows users’ birthdates and information about their Facebook photos, which writer Zachary Seward deemed unnecessary.
Rad told Quartz that this kind of issue “happens as you’re developing products,” although he later denied the quote on Twitter. The value in eliminating bugs prior to release and avoiding a protracted spell of damaging press, however, is clear. Organizations looking to shore up confidence in their applications can strengthen security during the development process by using tools such as static analysis software to catch errors and avoid exposing user data down the line.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.