We use cookies to improve your browsing experience, personalize content, and enhance the use of our website. By clicking on the Accept button, you consent to the use of cookies on your device as described in our Privacy Policy.

facebook

Meet Anand Prakash– a white hat hacker who’s made bug bounties from Facebook, Twitter, and Uber

The vulnerabilities mentioned in this blog post were plugged in quickly by the engineering teams of Facebook and Tinder.

Download PDF 

Highlights

  • Surfacing Snyk scanning results to 3,500+ developers
  • Running 5.5 million SCA tests using Snyk Open Source
  • Scanning 100% of containers deployed across the organization with Snyk Container
  • 65% reduction in high severity container vulnerabilities within a few months

“PingSafe is an excellent solution for dynamic and real-time monitoring of all the multi-cloud workloads. The flexibility of configuration and the ease of maintenance is a big plus.”

subhajeet-deb

Subhajit Deb

Global CISO, Dr. Reddy’s

Cloud Security Challenges

Both Tinder’s web and mobile applications allow users to use their mobile phone numbers to log in to the service, and this login service is provided by Account Kit (Facebook).

Login Service Powered by Facebook’s Accountkit on Tinder

The user clicks on Login with Phone Number on tinder.com and then they are redirected to Accountkit.com for login. If the authentication is successful then Account Kit passes the access token to Tinder for login.

Interestingly, the Tinder API was not checking the client ID on the token provided by Account Kit.

This enabled the attacker to use any other app’s access token provided by Account Kit to take over the real Tinder accounts of other users.

linkedin
Image testing

Cloud Security Results

Account Kit is a product of Facebook that lets people quickly register for and log in to some registered apps by using just their phone numbers or email addresses without needing a password. It is reliable, easy to use, and gives the user a choice about how they want to sign up for apps.

“PingSafe is ahead of other security platforms in terms of technical capabilities, ease-of-use, and the documentation. We made the right decision to make PingSafe our security platform of choice.”

About the Vulnerability

There was a vulnerability in Account Kit through which an attacker could have gained access to any user’s Account Kit account just by using their phone number. Once in, the attacker could have gotten ahold of the user’s Account Kit access token present in their cookies (aks).

Vulnerable Tinder API:

POST /fetch-sinch-recordings.php HTTP/1.1
Host: 167.88.123.157:80
Content-Type: application/json
Connection: close
Accept: */*
User-Agent: CallRecorder/2.25 (com.arun.callrecorderadvanced; build:1; iOS 14.4.0) Alamofire/4.7.3
Accept-Language: en-IN;q=1.0, kn-IN;q=0.9, hi-IN;q=0.8, hi-Latn-IN;q=0.7
Content-Length: 72
Accept-Encoding: gzip, deflate
{
 “UserID”: “xxxxxx”,
 “AppID”: “xxx”
}

A 99% savings in time and effort

Both the vulnerabilities were fixed by Tinder and Facebook quickly. Facebook rewarded me with USD $5,000, and Tinder awarded me $1,250.

Industry

Fintech

Region

San Francisco, California, USA

Champion

Christine Smoley, Security Engineering Manager

Cloud Environment

google-cloud
Download PDF 

Ready to see PingSafe in Action?

Attackers are improvising their tactics regularly to infiltrate your cloud assets. With PingSafe, eliminate all hidden and exploitable vulnerabilities at blazing fast speed and scale.

More Case Studies

Transportation

Indian ethical hacker helps Uber fix flaw in its app that exposed user numbers, email latest

Read Article

Entertainment

Meet Anand Prakash – a white hat hacker who’s made bug bounties from Facebook, Twitter, and Uber latest

Read Article

Fintech

Uber Confirms Account Takeover Vulnerability Found By Forbes 30 Under 30 Honoree

Read Article

Fintech

Indian ethical hacker helps Uber fix flaw in its app that exposed user numbers, email

Read Article