Tinder is a social dating application with more than 10 million downloads in the android play store and around 50 million people use Tinder every day according to this article.
For the people who do not know about Tinder, Tinder has launched Tinder Plus which requires a monthly paid subscription of $10 for people in the US under thirty years old, and $20 per month for users more than thirty years old. The paid version allows users to have unlimited use, while the free version only allows around 50-60 “swipes” during one session of swiping. After that, it prompts the user to pay for Tinder Plus or wait for around 12 hours. Tinder syncs with user’s Facebook account to pull photos, age, and name of the user. However, Tinder launched location based payment fees to promote the usage in other countries like India.
The location based payment option of Tinder can be exploited to use Tinder in the US, using a promotional offer of $3 per month instead of the usual $10 per month charge. The impact of this bypass can save a user $84 a year. I could not find a good statistic survey to know the number of user’s active in USA region. One source states that around 24% of 10 million users are using Tinder Plus paid app. You can do the math about the total loss to the company if all of those users were able to exploit this flaw to save $84 a year.
This would require a Facebook account, a mobile device, and an India phone number to perform this bypass. A quick Google search located a site where you can purchase an India number for $15-$18 a month. Personally, I have not used this site – I found the vulnerability when I was on vacation in India. I had registered for a local India number. I tried to reproduce the bypass when I came back in USA by creating a dummy Facebook account and using a friends help in India to forward me the registration code received on his cell phone.
Here are the steps to reproduce the bypass:
- Create a Facebook account or use an existing Facebook account and make sure the user’s age is less than 30.
- Download the Location Spoofer application.
- Modify the GPS location using Location Spoofer to a city like Mumbai (18.9750° N, 72.8258° E) in India for 1 hour or more.
- Download and install the Tinder dating application.
- Login into Tinder and allow Tinder to access your Facebook account information.
- Tinder will ask for a phone number and country. Select India and use the Indian phone number.
- Tinder will send a text message with the code to the Indian phone number to verify the account. Use the code to verify account.
- Swipe right until you reach a payment prompt. Tada!! The bypass works. Pay $3 for the monthly subscription and enjoy the Tinder Plus services.
Tinder depends on the authenticity of third party sources like Facebook and an Indian phone number to provide information about the user. I did use the help of a friend in India to get the 6-digit verification code. Although a new sim card/number can be brought in India for less than $5 and used to register for Tinder or it can be purchased online.
Here’s a demonstration of the hack:
Note: This was encountered in March 2015 and reported to Tinder. We were not able to get any response back from Tinder. This vulnerability has been fixed now.