Aim and pow! Famous ethical hacker, Anand Prakash, who has won crores-worth bounty for reporting bugs, was recently at work again. Prakash recently found an account takeover vulnerability in the Tinder application, and was awarded Rs 400,000 for discovering the bug.
The vulnerability allowed an attacker to gain access to a Tinder account. This was found more likely for people who used their mobile number to login. Prakash found that this was exploitable with a vulnerability in Account Kit by Facebook. In simpler words, both Tinder web and mobile applications allow users to use their mobile numbers to login, and this login service is provided by Account Kit (by Facebook). As has been clarified, the mentioned vulnerabilities were plugged quickly by the engineering teams of Facebook and Tinder.
When a user clicks on Login with Phone Number on Tinder, they are redirected to Accountkit.com for login. If the authentication is successful then Account Kit passes the access token to Tinder for login.
However as Prakash found, the Tinder API was not checking the client ID on the token provided by Account Kit. This enabled the attacker to use any other app’s access token provided by Account Kit to take over the real Tinder accounts of other users. Which means, a vulnerability on Account Kit, was allowing access to any user’s Account Kit account just by using their phone number. Once in, the attacker could get hold of the user’s access token of Account kit present in cookies (aks). Post that, the attacker could use the access token to log into the user’s Tinder account using the vulnerable API.
Prakash immediately reported these bugs to both Tinder and Facebook, and was awarded $5,000 (Rs 325,000) by Facebook, and $1,250 (Rs 81,000) by Tinder.