I remember the early days of Tinder when they would allow unauthenticated API calls from anywhere and returned location information accurate to a few feet.
> . Just by being on the same Wi-Fi network as any user of Tinder's iOS or Android app, the researchers could see any photo the user did, or even inject their own images into his or her photo stream
I think that it’s possible they realize privacy concerns are not foremost in the minds of people looking to hook up with perfect strangers. I would guess that “random hookup” and “serious about security” will tend to be mutually exclusive.
yes, but inexcusable on the part of the tinder software developers, IMHO, considering the very low technical/knowledge barrier to entry to do proper TLS1.2 everywhere now.
You assume the tinder devs have the freedom to work on what they want to. As frustrating as it is, in big corporate engineering shops, you are paid to do what the execs want to be done, not what you know needs doing.
I disagree. There will be a line to draw between acceptable participants and unacceptable ones, regardless of the game.
For example, even though drug deals are illegal and sketchy, there is still etiquette to be followed; there is still a chance you could be "sketchy" to the majority of drug dealers.
There is a proper way to behave for random hookups, and there is an improper way to behave. The difference may actually accentuated in hookups (and other high-risk activities) because there is more at stake.
I'm not interested in their product, but if I were, I think the thought of the amount of intimate data that Tinder collects from its users would keep me well away.
While the images over HTTP seems really trivial to fix and can be considered as a "big mistake" from the devs, the other point in this article about the number of bytes is trickier: wondering if any other HTTPS traffic could be "guessed" like that (likes on facebook or instagram? ...), any other known case of that kind? how would one protect against that?
While no app should ever leak data, I'm skeptical of a lot of those "concerns". Effort / effect seems to be in a non-practical area to justify even an attempt at data-snooping.
In general reading infosec news it might seem that everything these days is so insecure and vulnerable to the point where "if you have something valuable to anyone else they'll get it eventually" might seem to be mostly true.
On the other hand in real news on the individual level of hacks (not speaking of viruses and the like here) there's almost never anything apart from the occasional "dumb" hack with nothing more sophisticated than a guessed or fished password for instance, without any further effort giving the hacker access to a trough of invaluable data.
I don't understand this discrepancy, can someone with the know in the security industry say if anyone without "top secret" data or not being a VIP character even bother about the "concerns" raised in most instances, apart from following basic security practices, i.e. updating often, using strong passwords, not entering data to phishing sites?
16 comments
[ 3.1 ms ] story [ 48.4 ms ] threadThis doesn't seem like much has changed.
goatse for everyone! everywhere!
For example, even though drug deals are illegal and sketchy, there is still etiquette to be followed; there is still a chance you could be "sketchy" to the majority of drug dealers.
There is a proper way to behave for random hookups, and there is an improper way to behave. The difference may actually accentuated in hookups (and other high-risk activities) because there is more at stake.
In general reading infosec news it might seem that everything these days is so insecure and vulnerable to the point where "if you have something valuable to anyone else they'll get it eventually" might seem to be mostly true.
On the other hand in real news on the individual level of hacks (not speaking of viruses and the like here) there's almost never anything apart from the occasional "dumb" hack with nothing more sophisticated than a guessed or fished password for instance, without any further effort giving the hacker access to a trough of invaluable data.
I don't understand this discrepancy, can someone with the know in the security industry say if anyone without "top secret" data or not being a VIP character even bother about the "concerns" raised in most instances, apart from following basic security practices, i.e. updating often, using strong passwords, not entering data to phishing sites?