I love security posts like this. His previous one about facebook messenger status was also really nicely done.
He doesn't succumb to the temptation to be abusive (to either the people who made the thing he's testing, the people reading, or anyone who might be impacted by it), which is something a lot of security researchers seem to find impossible to avoid; there's a lot of calling people various forms of stupid in many incident reports. Even when given ample opportunity by the Tinder folks to call them names, he didn't do so (and, didn't blow it out of proportion, either...it's problematic, but if you're using Facebook and Tinder, you probably are already aware you're giving up a lot of privacy; this is a big deal, but not vastly bigger than using facebook all by itself).
He explains clearly what he did, and what tools he used to do it, which is another thing that often gets left out. Many security folks follow the magician's code ("never show'em how it's done"), and are dismissive that mere mortals could ever understand what they do.
And, he tells a good story in the process. All around, top notch technical writing about a usually boring subject.
The overall technical outline of the issue and what he did to figure it out are clear — and certainly interesting — but I am having a hard time reading the blog post. This writing style is exhausting to me. Instead of reading normally I find myself skipping more and more text to get to the bits that aren't silly jokes and internet slang. A shame, because it hides the technical insights he has.
At least he's not inserting meme-pictures every other paragraph, which seems to be thing now even in otherwise well-written material.
I guess it could be more concise, but I rather enjoyed the humor. It's not an area I'm passionate about, even though it is important, so having it interlaced with jokes (silly though they may be) was a net win for me.
It's a surprise that Tinder launched Tinder Social just now in the US given that's the main source of the leaked data. Tinder Social was (and remains) opt-out in Australia while he was writing the article. Even if Tinder Social is now opt-in in the US, the fact they were dismissive of the vulnerability disclosure is concerning.
Any social network with deteriorating privacy is bad. One where the content can potentially be sensitive is even worse. If you started on a service and it kept becoming more private by default, that's fine - potentially annoying, but fine. If you start on a service and it kept becoming more public by default, then we have a problem.
The fact that Tinder don't realize Tinder profiles may contain sensitive information for a significant portion of their user base is hugely disturbing. As stated in the article, there are so many circumstances beyond cheating that this is still an issue.
Assume for a fictional argument that I was born into a religious family, "no sex before marriage" type of thing, but enjoyed one night stands. One might use Tinder to do so quietly. Tinder didn't allow your friends to see that information before - I assumed I was safe from judgement by my family and their friends. Then Tinder rips that privacy you thought you had away!
Saying that users should have known better is not an excuse. As developers we must operate under the assumption that best practices are likely going to be missed or misunderstood. Tinder violated that in an extreme way in an attempted land grab for a large social market beyond hook-ups and dating.
Disclosure: I'm friends with the author and commented on drafts.
> I assumed I was safe from judgement by my family and their friends. Then Tinder rips that privacy you thought you had away!
Why would you think your profile is "secret" in any way to begin with? It is literally an app that shows you others using it NEARBY yourself. And a highly popular one at that.
The profiles are also public and there is no indication to them being private as far as I've ever read about the app.
One could say that there is an expectation that only other tinder users will discover you. Kinda like going to a bar or a strip club, which are activities that your community may disapprove of. Thus, you only encounter members outside of your community, or community members who are cool with it.
To use the things in the blog post you still need a Tinder account.
A disapproving family member could still go to a bar or open an account to try to find you there. Which you should be aware of because they are both still publicly accessible spaces.
The difference being that they would have to search multiple bars at multiple times of day. Instead we have a large billboard saying "Steve is at this bar and is interested in these types of activity while he's there!".
Have you seen the (now quite ancient) animated evolution of default Facebook privacy settings[1]? It's insane.
It's for this reason that, by default, I assume essentially everything I do online is public. My username is my name, almost everything on Facebook is defaulted to public, etc.
If you live under the assumption that you're never private, you'll never make the mistake of thinking you are.
I spent about 30-45 minutes trying to get this to work out of the box. Not sure if It's because my Python is rusty or maybe my installs are screwy. Either way, In order to get this to work, I ended up curling the tinder API to get my token.
The feature will also opt-in (on android at least) via a notification, with no confirmation upon opening the notification. Thanks, anti-privacy patterns!
As stated in both the repository and the blog post (a couple times, actually), you need to intercept the Tinder traffic after you've created a profile.
That's kind of scary that you can get that information just by (if I read this right) having the user ID of someone you "matched" with. This feels like it could lead to all sorts of weird stalking or something if a first-date went badly.
On an unrelated note, I liked the way that the post was written. It made reading the details more interesting (but then again, I'm one of those young whippersnappers, so maybe I'm just more prone to liking that sort of thing).
> That's kind of scary that you can get that information just by (if I read this right) having the user ID of someone you "matched" with.
Not quite... the API returns the Tinder user ID of all your Facebook friends that use Tinder. You can see who uses it, when they last used it, what picture they use there, etc.
You can also "swipe right" or "swipe left" using the API on anyone you have the Tinder user ID of, even if Tinder never matched them with you.
So it's scary in a "creep on your friends" way not in a "creep on strangers" way.
> having the user ID of someone you "matched" with
Most of the information was already available to someone you matched with (that's the whole point of matching), barring the 'last logged in' value. The real concern is that you can get the user id of any of your facebook friends, exposing information that was previously hidden unless you did match. Matching relies on two-party consent, this violates that for a subset of users.
Unless I'm missing something, the information displayed is shown for every Tinder user you see on the app before and after you are matched. There is no additional data leaked.
What it does do is allow you to quickly find your Facebook friends quickly among the thousands of Tinder users in your area. You can find them anyway with enough swiping.
In you tinder profile you can see which friends tinder will show as common friends. This is a subset of your Facebook friends and I've always assumed these you Facebook friends who are on tinder.
virtualenv venv --python=python3.5
Running virtualenv with interpreter /usr/local/bin/python3.5
Using base prefix '/Library/Frameworks/Python.framework/Versions/3.5'
New python executable in venv/bin/python3.5
Also creating executable in venv/bin/python
Failed to import the site module
Traceback (most recent call last):
File "/Users/ericlw/Development/tinder-detective/venv/bin/../lib/python3.5/site.py", line 67, in <module>
import os
File "/Users/ericlw/Development/tinder-detective/venv/bin/../lib/python3.5/os.py", line 708, in <module>
from _collections_abc import MutableMapping
ImportError: No module named '_collections_abc'
ERROR: The executable venv/bin/python3.5 is not functioning
ERROR: It thinks sys.prefix is '/Users/ericlw/Development/tinder-detective' (should be '/Users/ericlw/Development/tinder-detective/venv')
ERROR: virtualenv is not compatible with this system or executable
Yes, and I'm not sure why he's getting downvoted. This is a legitimate Facebook feature.
Gender can be either Male, Female, or Custom, and Facebook gives you the option to choose which gender pronouns you prefer. Thus, to see it represented as a boolean is unusual. I'm curious as to what the value of that field is when a user has chosen Facebook's custom gender display options.
'Custom' wouldn't work in Tinder. They should have at least a third option but considering they show matches based on a gender preference having dozens of gender options will make the app quite useless as you'll be spreading people who would be interested in each other but use different terms to describe their gender into a wide variety of groups.
Are you claiming that it's equal to either only male, or only female? If not, then how exactly would you provide the information that an organism is both with a single required bit, where 0 is defined as female, and 1 as male?
I was attracted to hard sciences because the subjectivity of things like psychology turned me off. Statements like yours make me concerned that liberal arts departments are going to try to make science fit their narrative. The roles of male and female is one of the most universally common behaviors across specifies. If I grew a vagina and had a baby it doesn't make me a different gender. It means I took on some of the attributes of a human female. At that point I wouldn't consider myself male or female. But I certainly wouldn't try to make up a 3rd gender for my unique situation.
That's a very positivist approach, and I hope the liberal arts continue to erode such binary based thinking in the sciences as I believe that philosophy makes better scientists. . And so what if you "made up" another gender? Gender is socially constructed and is not a real, concrete construct. I'm sorry that considering concepts and people as unable to be hyper taxonomized by artificial constraints is inconvenient to you and more valuable than treating the identities of others with respect.
Very good point, but in nature a binary of sexes is not absolute. You are applying the artificial gender binary to sexes, which in nature are often messy and unclear. This can range from species that change sex organs as they mature, take on different reproductive roles dependent on situations, and even manifests in a statistically significant amount of humans born with both sets of reproductive organs. Assuming two sexes, then going on to conflate that with gender, demonstrates only an elementary understanding of reproductive biology.
(1) Are there more than two gender identities? Yes.
(2) Are there more than two socially ascribed genders? Yes, given that (1) has achieved a significant degree of acceptance, as has aligning ascribed gender with identity.
(3) Are there more than two grammatical genders? Depends on the language.
(4) Are there more than two arrangements of sex-related biological traits? Yes
(5) Are there more than two of any of the items in #1, #2, or #4 on which people might preferences that would be relevant in a dating app? Probably.
The commenter your responding to is most likely using "gender" to refer to the concept you would describe as "sex". That is, the biological characteristic of being male or female rather than a grammatical concept.
A trait either is binary or is not (being binary is, itself, binary.) A trait that the vast majority of the time takes on one of two values, but other times takes on other values, is not binary.
Even if that was the exact set of possible values, that's not binary (though I suppose if someone overexposed to SQL might mistake it for a being binary...)
It's OPT-IN - you can tell because you would have said 'opt me in to Tinder Social'. Also, if you can remember, swipe to your profile screen. If you have opted in it has it in huge writing.
He doesn't succumb to the temptation to be abusive (to either the people who made the thing he's testing, the people reading, or anyone who might be impacted by it), which is something a lot of security researchers seem to find impossible to avoid; there's a lot of calling people various forms of stupid in many incident reports. Even when given ample opportunity by the Tinder folks to call them names, he didn't do so (and, didn't blow it out of proportion, either...it's problematic, but if you're using Facebook and Tinder, you probably are already aware you're giving up a lot of privacy; this is a big deal, but not vastly bigger than using facebook all by itself).
He explains clearly what he did, and what tools he used to do it, which is another thing that often gets left out. Many security folks follow the magician's code ("never show'em how it's done"), and are dismissive that mere mortals could ever understand what they do.
And, he tells a good story in the process. All around, top notch technical writing about a usually boring subject.