Criminals can use shortcomings in popular dating apps, including Tinder, Bumble and Happn, to see users’ messages and find out which profiles they’ve been viewing.
As well as having the potential to cause major embarrassment, the exploits could lead to dating app users being identified, located, stalked and even blackmailed.
The researchers, from Kaspersky Lab, studied the Android and iOS versions of Tinder, Bumble, Happn, OKCupid, Badoo, Mamba, Zoosk, WeChat and Paktor.
Gadgets and tech news in pictures
They said it was “fairly easy” to find out a user’s real name from their bio, as a number of dating apps allow you to add information about your job and education to your profile.
Using these details, the researchers managed to find users’ pages on various social media platforms, including Facebook and LinkedIn, as well as their full names and surnames, in 60 per cent of cases.
Some of the apps, such as Tinder, also let you link your profile to your Instagram page, which can make it even easier for someone to work out your real name.
As the researchers explain, tracking you down on social media can enable someone to gather much more information about you and circumvent common dating app restrictions.
“Some apps only allow users with premium (paid) accounts to send messages, while others prevent men from starting a conversation. These restrictions don’t usually apply on social media, and anyone can write to whomever they like.”
They also found that Tinder, Mamba, Zoosk, Happn, WeChat and Paktor users are “particularly susceptible” to an attack that lets people work out your precise location.
Dating apps tell you how far away another user, but precision varies between apps. They’re not supposed to reveal any exact locations, but the researchers were able to uncover them.
“Even though the application doesn’t show in which direction, the location can be learned by moving around the victim and recording data about the distance to them,” say the researchers.
“This method is quite laborious, though the services themselves simplify the task: an attacker can remain in one place, while feeding fake coordinates to a service, each time receiving data about the distance to the profile owner.”
Most worrying of all, the researchers were also able to access users’ messages, find out which profiles they’d viewed and even take over people’s accounts.
They managed to do this by intercepting data from the apps and stealing authentication tokens – mainly from Facebook – which often aren’t stored very securely.
“Using the generated Facebook token, you can get temporary authorization in the dating application, gaining full access to the account,” the researchers said. “In the case of Mamba, we even managed to get a password and login – they can be easily decrypted using a key stored in the app itself.
“Most of the apps in our study (Tinder, Bumble, OK Cupid, Badoo, Happn and Paktor) store the message history in the same folder as the token. As a result, once the attacker has obtained superuser rights, they will have access to correspondence.
“In addition, almost all the apps store photos of other users in the smartphone’s memory. This is because apps use standard methods to open web pages: the system caches photos that can be opened. With access to the cache folder, you can find out which profiles the user has viewed.”
The researchers, who have reported the exploits to the developers of the apps, say you can protect yourself by avoiding public Wi-Fi networks, especially if they aren’t protected by a password, and using a VPN.
They also recommend not adding your place of work to your dating profile.