Stalking your Facebook friends on Tinder

I love security posts like this. His previous one about facebook messenger status was also really nicely done.<p>He doesn&#x27;t succumb to the temptation to be abusive (to either the people who made the thing he&#x27;s testing, the people reading, or anyone who might be impacted by it), which is something a lot of security researchers seem to find impossible to avoid; there&#x27;s a lot of calling people various forms of stupid in many incident reports. Even when given ample opportunity by the Tinder folks to call them names, he didn&#x27;t do so (and, didn&#x27;t blow it out of proportion, either...it&#x27;s problematic, but if you&#x27;re using Facebook and Tinder, you probably are already aware you&#x27;re giving up a lot of privacy; this is a big deal, but not <i>vastly</i> bigger than using facebook all by itself).<p>He explains clearly what he did, and what tools he used to do it, which is another thing that often gets left out. Many security folks follow the magician&#x27;s code (&quot;never show&#x27;em how it&#x27;s done&quot;), and are dismissive that mere mortals could ever understand what they do.<p>And, he tells a good story in the process. All around, top notch technical writing about a usually boring subject.

It&#x27;s a surprise that Tinder launched Tinder Social just now in the US given that&#x27;s the main source of the leaked data. Tinder Social was (and remains) opt-out in Australia while he was writing the article. Even if Tinder Social is now opt-in in the US, the fact they were dismissive of the vulnerability disclosure is concerning.<p>Any social network with deteriorating privacy is bad. One where the content can potentially be sensitive is even worse. If you started on a service and it kept becoming more private by default, that&#x27;s fine - potentially annoying, but fine. If you start on a service and it kept becoming more public by default, then we have a problem.<p>The fact that Tinder don&#x27;t realize Tinder profiles may contain sensitive information for a significant portion of their user base is hugely disturbing. As stated in the article, there are so many circumstances beyond cheating that this is still an issue.<p>Assume for a fictional argument that I was born into a religious family, &quot;no sex before marriage&quot; type of thing, but enjoyed one night stands. One might use Tinder to do so quietly. Tinder didn&#x27;t allow your friends to see that information before - I assumed I was safe from judgement by my family and their friends. Then Tinder rips that privacy you thought you had away!<p>Saying that users should have known better is not an excuse. As developers we must operate under the assumption that best practices are likely going to be missed or misunderstood. Tinder violated that in an extreme way in an attempted land grab for a large social market beyond hook-ups and dating.<p>Disclosure: I&#x27;m friends with the author and commented on drafts.

I spent about 30-45 minutes trying to get this to work out of the box. Not sure if It&#x27;s because my Python is rusty or maybe my installs are screwy. Either way, In order to get this to work, I ended up curling the tinder API to get my token.<p><pre><code> curl -v -X POST &#x27;https:&#x2F;&#x2F;api.gotinder.com&#x2F;auth&#x27; -H &#x27;Content-Type: application&#x2F;json&#x27; --data &#x27;{&quot;facebook_token&quot;: &quot;facebook_token_string&quot;, &quot;facebook_id&quot;: &quot;facebook_id_string&quot;}&#x27; </code></pre> With that I modified the python code to no longer POST to get the X-Auth-Token and just pasted it in there:<p><pre><code> self.headers[&quot;X-Auth-Token&quot;] = &#x27;auth_token_string&#x27; print(&quot;Authenticated to Tinder &quot;) self.authed = True print self.authed </code></pre> After that, everything worked fine!

Amusing HN shout-out in the code [0]<p>&gt; <i>&quot;&quot;&quot;Yeah it&#x27;s really important to write extremely enterprise well-documented hacky API code. Hacker News will love it I swear.&quot;&quot;&quot;</i><p>[0]: <a href="https:&#x2F;&#x2F;github.com&#x2F;defaultnamehere&#x2F;tinder-detective&#x2F;blob&#x2F;13bf88d88c0b0f8ba5a28c11fc53a9feb5f641ec&#x2F;api.py#L10" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;defaultnamehere&#x2F;tinder-detective&#x2F;blob&#x2F;13b...</a>

Can confirm the new Tinder Social feature is opt in, with reasonable warning: <a href="https:&#x2F;&#x2F;imgur.com&#x2F;ie8IgSZ" rel="nofollow">https:&#x2F;&#x2F;imgur.com&#x2F;ie8IgSZ</a><p>Feature can be disabled at any time.

Connection count is just how many friends they have, not how many swipes.<p>There&#x27;s nothing new to discover with this &#x27;hack&#x27;, seeing your friends&#x27; tinder profiles is what tinder social does.

For some reason I read through the commits in the Github repo. Wasn&#x27;t disappointed.

Can&#x27;t get it to work ... where do I get my facebook user id and token from?<p>Do I have to create an App featuring access to my friend list for that?

What format do the id and keys in secrets.json need to be in?

That&#x27;s kind of scary that you can get that information just by (if I read this right) having the user ID of someone you &quot;matched&quot; with. This feels like it could lead to all sorts of weird stalking or something if a first-date went badly.<p>On an unrelated note, I liked the way that the post was written. It made reading the details more interesting (but then again, I&#x27;m one of those young whippersnappers, so maybe I&#x27;m just more prone to liking that sort of thing).

I&#x27;m getting a 401 error when I do curl <a href="https:&#x2F;&#x2F;api.gotinder.com&#x2F;user&#x2F;52b....000f9b" rel="nofollow">https:&#x2F;&#x2F;api.gotinder.com&#x2F;user&#x2F;52b....000f9b</a><p>And I grabbed the user_id from the groups json &quot;user_id&quot; var<p>I also made the request from the browser on my phone.. same thing.<p>Do I need to add some tinder oauth credential to the curl request?

What is the format for the SECRETS.json file since it needs to include both the auth token and the facebook id?<p>f = open(SECRETS.json) self.fb_auth = json.load(f)<p>So does it matter what I name the auth parameters or just that I set the values correctly?<p>i.e:<p>{ &quot;auth_token&quot; : &quot;TOKENVAL&quot;, &quot;fb_id&quot; : &quot;IDVAL&quot; }

Wouldn&#x27;t this require you to have specifically opted-in to &quot;Tinder Social&quot;?

Anyone getting unicode errors even after removing all of the emojis from the source?

In you tinder profile you can see which friends tinder will show as common friends. This is a subset of your Facebook friends and I&#x27;ve always assumed these you Facebook friends who are on tinder.

Just FYI, doesn&#x27;t work in Asia, maybe because there&#x27;s no Tinder Social yet.

This blogpost is so hilariously written. Props to the author.

Holy direct object reference vulnerability batman!

how do you build this in OSX? Apple&#x27;s python situation is out of control

&#x27;gender’: 1, &#x2F;&#x2F; 1 is female, 0 is male. C’mon Tinder that’s not how gender works<p>C&#x27;mon Tinder.

How can I tell if I&#x27;ve even been opted in? Bastards. I&#x27;m a paying customer and they pull this crap.