Kaspersky Lab researchers have discovered multiple vulnerabilities contained in popular dating apps. The consequences of this for users range from simply identifying a particular person, to unsecured data transmissions and the leaking of personal information. After analysing nine popular global services, we found that some of them provide very low levels of data protection.
Dating apps have become popular all over the world. According to Kaspersky Lab’s recent report “Dangerous Liaisons: is everyone doing it online?” as many as one-in-three people are currently using an online dating service. But with the increasing popularity of these services comes an important security issue, since most dating services require users to share personal information. With this in mind, a team of Kaspersky Lab researchers decided to examine how secure they really are. They conducted detailed analyses of the most popular dating applications in different world regions, looking for various vulnerabilities that could affect users’ real lives and change their status from “daters” to “victims”.
This research revealed that users face multiple risks when using online dating apps. For example, they can be identified by finding out their names and surnames from social network profiles and can also be found in the physical world through the use of geolocation data. Furthermore, they can lose access to their accounts, or have their personal data fall into the wrong hands.
Our experts have discovered a common security risk present in several applications, related to the token-based authentication method which is used by dating apps for new registration and sign-up processes. A token is created on request by a server in order to uniquely identify the user and usually asks for access to a Facebook account. It then provides access to general user information, including first and last names, the user’s e-mail address and their profile picture. By using this method, applications receive all the necessary data to enable them to authenticate the user on its servers. However, based on the research, tokens are often stored or used insecurely and, therefore, can be easily stolen. As a result, intruders are able to gain temporary access to victims’ accounts even without their login and password details.
Users may also face another threat related to the safety of message histories, which are stored on the device and can be accessed and read by intruders. These attacks pose a particular threat to users of Android devices. Some of them – those running outdated software – contain vulnerabilities that enable attackers to gain root access to the device. This in turn can lead criminals to private information, including messages written and photos viewed in their chosen dating apps.
In addition, users of six of the analysed apps can be detected by their location. In some of the apps Kaspersky Lab also identified risks in the data transmission process. Although most applications use SSL (Secure Sockets Layer) to secure communication with servers, some data is sent via the HTTP protocol and is not encrypted. This provides hackers with the opportunity to intercept these communications, which often contain personal information such as the user’s location, profiles visited, messages, device data etc. Using an insecure connection, intruders can also gain control of a victim’s account.
“With the development of the web came the emergence of various social media platforms and applications designed to make our lives easier and more convenient: for example, online dating apps aiming to help us find companions. However, many of these services are not protected against cyber attacks,” said David Emm, Principal Security Researcher at Kaspersky Lab.
“Daters are also putting themselves at risk by sharing sensitive personal information in their profiles, such as their place of education and work. Armed with this information, intruders can easily find victims’ real accounts on Facebook and LinkedIn networks. It also opens possibilities for stalking – to harass people and track their movements in real life. Therefore you should be sure to carefully monitor your privacy, security and data protection when dating online.”
To prevent your data from theft, Kaspersky Lab recommends the following:
- Avoid public Wi-Fi hotspots which offer limited protection,
- Use a VPN to ensure a secure connection,
- Don’t share your sensitive ID information, such as education, work place, etc.,
- Install a reliable security solution on your device such as Kaspersky Internet Security for Android.
[su_box title=”About Kaspersky Lab” style=”noise” box_color=”#336588″][short_info id=’59584′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.