CVE-2018-6018 – CVE-2018-6018 is a vulnerability in Tinder's mo... (How to Fix)

Q: What is the severity of CVE-2018-6018?

CVE-2018-6018 has a CVSS score of 9.1 (CRITICAL). CVE-2018-6018 is a vulnerability in Tinder's mobile apps where fixed HTTPS response sizes allowed attackers to infer private user actions (like swipes) by analyzing encrypted network traffic patterns. This affects Tinder iOS and Android app users on unsecured networks. The vulnerability exploits metadata leakage despite HTTPS encryption.

📋 TL;DR

CVE-2018-6018 is a vulnerability in Tinder's mobile apps where fixed HTTPS response sizes allowed attackers to infer private user actions (like swipes) by analyzing encrypted network traffic patterns. This affects Tinder iOS and Android app users on unsecured networks. The vulnerability exploits metadata leakage despite HTTPS encryption.

💻 Affected Systems

Products:

Tinder iOS App
Tinder Android App

Versions: Versions prior to January 2018 updates

Operating Systems: iOS, Android

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default app configurations when using standard HTTPS connections. Requires attacker to be on same network segment.

📦 What is this software?

Tinder by Tinder

View all CVEs affecting Tinder →

Tinder by Tinder

View all CVEs affecting Tinder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers on the same network could reconstruct complete user swipe patterns, infer sexual orientation, relationship status, and personal preferences without decrypting traffic.

🟠

Likely Case

Attackers on public Wi-Fi could monitor swipe patterns to infer user preferences and potentially identify specific users based on their activity patterns.

🟢

If Mitigated

With proper network segmentation and user awareness, impact is limited to theoretical risk with minimal practical exploitation.

🌐 Internet-Facing: HIGH - Mobile apps connect to internet services and users frequently use public Wi-Fi where attackers can sniff traffic.

🏢 Internal Only: LOW - This is primarily a client-side mobile app vulnerability requiring network proximity to victim.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network sniffing capability but no authentication or special privileges. Tools for traffic analysis are widely available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Tinder app updates released in January 2018

Vendor Advisory: https://www.checkmarx.com/2018/01/23/tinder-someone-may-watching-swipe-2/

Restart Required: Yes

Instructions:

1. Update Tinder app from official app store 2. Ensure app version is post-January 2018 3. Restart app after update

🔧 Temporary Workarounds

Use VPN on untrusted networks

all

Encrypt all network traffic through VPN to prevent traffic analysis

Avoid public Wi-Fi for sensitive apps

all

Use cellular data or trusted networks when using dating apps

🧯 If You Can't Patch

Use VPN service on all untrusted networks to encrypt traffic end-to-end
Disable automatic Wi-Fi connections and only use trusted, encrypted networks

🔍 How to Verify

Check if Vulnerable:

Check app version in settings - versions before January 2018 are vulnerable. Monitor network traffic for consistent response sizes to similar actions.

Check Version:

Check within app settings or app store for version information

Verify Fix Applied:

Update to latest Tinder version and verify response sizes vary for similar actions when monitoring encrypted traffic.

📡 Detection & Monitoring

Log Indicators:

Unusual network traffic patterns from mobile devices
Consistent packet sizes for different user actions

Network Indicators:

Consistent HTTPS response sizes for different API endpoints
Patterned network traffic from Tinder app

SIEM Query:

source="network_traffic" app="Tinder" packet_size_variance<10%

📊 Metadata

CVE ID: CVE-2018-6018

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-319

Published: January 24, 2018

Last Updated: November 21, 2024

🔗 References

https://www.checkmarx.com/2018/01/23/tinder-someone-may-watching-swipe-2/ Third Party Advisory
https://www.wired.com/story/tinder-lack-of-encryption-lets-strangers-spy-on-swipes/ Press/Media Coverage,Third Party Advisory
https://www.checkmarx.com/2018/01/23/tinder-someone-may-watching-swipe-2/ Third Party Advisory
https://www.wired.com/story/tinder-lack-of-encryption-lets-strangers-spy-on-swipes/ Press/Media Coverage,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-6018, you might also want to check these: