"Both the vulnerabilities were fixed by Tinder and Facebook quickly," wrote Appsecure's Anand Prakash on Medium. Facebook and Tinder rewarded the company $5000 and $1250, respectively, for its report. This isn't the first report of Tinder security flaws, either, like when the company failed to encrypt user photos and (back in 2014) exposed users' exact locations for months.

When you login to Tinder, you have the option of using your phone number, which is then passed along to Facebook's Account Kit for authentication to Tinder. The Appsecure folks found that they could get a valid access token with an API request to Facebook's Account Kit using a phone number. In addition, Tinder's login system wasn't checking these access tokens to make sure they matched the associated user's client ID, which means that any valid access token could let someone log in to your Tinder account.

Update: A Tinder spokesperson has issued the company's official statement: