This article is part of the research and development effort conducted by HERT (Hacker Emergency Response Team). It is not a production tool for either attack or defence within an information warfare setting. Rather, it is a project demonstrating proof of concept.

Using our own Tinder profile, we are going to look for males within 2km. The attack will be too slow if you live in a big town and extend the range.

The initial target has to be a male, the attack is less likely to succeed if we pick a female. Men propose, women dispose…

We swipe left until we find our target. We will call him, Bob.

We have to make sure Bob is attractive or the attack will probably not work. If in doubt we can ask a female friend.

We take a screenshot of Bob’s profile pictures and write down his biography.

Now we’ll create a fake Facebook profile for Bob. We’ll use the same first name and the same age.

Then we register our fake Bob on Tinder.

Let’s swipe right and super like every girl within 2km. In a big town like London, this step can take ages. Luckily, we can use a Chrome Extension called Flamite by @mrP1ng which will auto-like everyone.

Pick an attractive match or a super like response. We’ll call our second target Alice.

We create another fake facebook profile and register her on Tinder.

We’ll limit the search to 2km and swipe right until we find the original Bob.

We super like Bob and wait patiently for a reply.

“[…] conversations initiated by a Super Like last 70% longer.”

Bob “Hello :)”

Success! Our fish has taken the bait.

This is called a man in the middle attack.

“In cryptography and computer security, a man-in-the-middle attack (often abbreviated MitM, MiM attack, MitMA or the same using all capital letters) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.”

Bob “How are you?” => Fake Alice => Fake Bob => Alice Alice “I’m fine. You?” => Fake Bob => Fake Alice => Bob Bob “Always good :) Where are you?” => Fake Alice => Fake Bob => Alice Alice “Shoreditch, you?” => Fake Bob => Fake Alice => Bob Bob “I live next to Piccadilly Circus Any plans for tonight?” => Fake Alice => Fake Bob => Alice

Not only we can eavesdrop on the conversation of two strangers, we can also change their reality.

Let’s decide where they will meet!

Bob “Fancy a drink?” => Fake Alice => Fake Bob “Fancy a drink? Have you been to sketch” => Alice “I haven’t, just googled it. The toilets are crazy!” => Fake Bob => Fake Alice “Yes, let’s meet at sketch on Conduit street! ” => Bob

We can add some spice.

Alice “See you tonight ” => Fake Bob => Fake Alice “I want you to kiss me passionately as soon as you see me. Dare? ” => Bob

At some point people exchange phone numbers and the Tinder convo stops. That’s not a problem..

Extending the attack to SMS, Whatsapp, iMessage and voice.

We’ll need two SIM cards and two extra phones.

Register both phones for Messages, Facetime and Whatsapp… (we must not forget to add a profile picture for Whatsapp.)

When Alice or Bob exchange phone numbers… just substitute the numbers for the phone numbers you control.

Alice “0775551212” => Fake Bob => Fake Alice “077123456” => Bob

That’s it, now we can relay SMS, iMessage, Whatsapp and even voice calls.

Relaying voice conversation is a bit tricky. The easiest solution is to reject the calls and only relay the voice mail messages. We can also answer the call and tell the person “can you just wait two seconds please?” Mute the call, call the other party and conference them with the speaker phones.

The simplest solution is to forward all incoming call but we won’t be able to eavesdrop anymore. If you are a tech, you can use two GSM cards and configure Asterisk, a free and open source communication server, to route and record the calls.

We can imagine all kinds of crazy scenarios… If we know Bob in real life and he’s cheating on his girlfriend, we can send her the logs or invite her to the same date. We could also play jokes to our friends and make them believe they have a really hot date.

Note: I demonstrated a similar social engineering attack for Facebook in 2013 at Forrester’s Forum For Security & Risk, London. At the time, it was possible to pay a small amount of money to Facebook to get a message delivered in the inbox of the target… Strangers’ messages would end up in the others mailbox that no one read. It was never published and Facebook removed that feature.

Edit: Tinder’s Response :

Thanks for your report and your interest in protecting our users. While Tinder does employ several manual and automated mechanisms to deter fake and/or duplicate profiles, ultimately, it is unrealistic for any company to positively validate the real-world identity of millions of users while maintaining the commonly expected level of usability. We will certainly continue to look for any areas we can improve and/or remedy the ability to create the scenario you described. Thanks, Tinder Security Team

—

You can find me on twitter. @zboralski

The Internet is a digital shanty town