Tinder finally swiped right on encryption.
Your Tinder swipes are now safe from the prying eyes of hackers sitting on your Wi-Fi network, and we may have to thank a US Senator for it.
Match Group Inc, the company that operates Tinder, said in a letter to Sen. Ron Wyden on Friday that the dating app is now better protecting swiping data and images, making it harder—if not impossible—for hackers to figure out who you were swiping right on.
Until today, it was possible for hackers on the same Wi-Fi network as a Tinder user—perhaps in a cafe, a library or in a university—to see what pictures the user was seeing. Hackers could also figure out who the user was swiping left or right, as researchers warned earlier this year. In light of that, Wyden sent a letter to Tinder on Valentine’s Day, requesting the company fix this issue.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
“I’m happy to report that swipe data has been padded such that all actions are now the same size (effective June 19, 2018), and the images transmitted between the Tinder app and servers are now fully encrypted as well (effective February 6, 2018; images on the web version of Tinder were already encrypted.)”
Researchers at security firm Checkmarx demonstrated how malicious hackers could exploit the lack of encryption in Tinder in a video last year.
There were to issues at play here. One, images were not being encrypted as from Tinder’s servers to the app, and vice versa. And two, the actions of swiping right and swiping left, even though were encrypted, produced different patterns of bytes, making them recognizable. As Wired explained, “Tinder represents a swipe left to reject a potential date, for instance, in 278 bytes. A swipe right is represented as 374 bytes, and a match rings up at 581. Combining that trick with its intercepted photos, TinderDrift can even label photos as approved, rejected, or matched in real time.”
Tinder is just the latest service to embrace web encryption, technically called TLS or HTTPS. This encryption protects data traveling across the internet, from the user to the server, and prevents hackers from intercepting and snooping on the data. For the last few years, tech companies and privacy advocates have led a widely successful campaign to push websites and apps to adopt encryption and better protect user’s privacy.
Swipe away kids.
Get six of our favorite Motherboard stories every day by signing up for our newsletter .