Just a note, Firesheep didn't implement generic traffic sniffing, just cookie-cloning, and that only when someone implemented a Firesheep plugin with an appropriate regular expression or whatever for a given site. So the existence of Firesheep itself wouldn't allow people to passively watch traffic for arbitrary sites, and not even to perform attacks against newly popular sites if no community kept it up to date for those sites.
> ... as much as we want to excoriate Tinder, it's been reasonable for most of their users to have 'i dgaf' as their threat model.
This presumes users are aware of whether an app's traffic is encrypted or not. It's interesting how much thought goes into the UX of browser address bar security indicators, while everyone happily uses apps with no visual indicators of network connection security of any kind.
Or whether users know what encryption really means or not.
Users don't chose between apps based on a laundry list of features like security consciousness of the developers. They know tinder is where you get dates and they download and use that.
Most users, yes. But even those who do care, and know a little about it, don't necessarily have any obvious path to verify which apps do/don't encrypt their traffic.
I'm a mobile app developer, and if I were downloading Tinder I am actually naïve enough that I would have presumed its network traffic would be. It just seems so matter of course to me that network requests written into any app being developed would just use HTTPS.
I quoted the incorrect part of the comment. Then, I posted a correction to the comment that is incorrect. Firesheep doesn't display the HTTP traffic whizzing by but steals cookies for a session - allowing the malicious party to view information from the server, not the information between the sever and client.
I think unless you want to use your own custom DNS, you don't even need to set up certificates, *.amazonaws.com has HTTPS already, with amazon certs. If you want SSL on your own DNS, I think you're forced to use cloudfront - perhaps they didn't want to pay for that :|
I’m sorry, I don’t understand. S3 storage is cheap, bandwidth is expensive. CF is free storage for in-cache items, refreshed from the S3 backend when expired, serving that bandwidth. You can’t lose money as compared to a pure S3 setup.
Hmm, well it seems S3 to CF bandwidth is free (didn't realize this), and bandwidth from CF to internet vs S3 to internet is approximately the same (also surprising to me). So it costs approximately the same.
The next thing you should look at is who they send your personal data to and what data they send. There was rumors a year ago that they sent personal data to known advertiser IPs.
Funny, I remember setting up a mitm proxy on a Raspberry Pi for Tinder when I was designing an interactive display of my tinder likes and dislikes. Even used the content-length trick to bypass installing a custom root cert on my phone to decrypt swipe status. Didn't think about the security implications about it at the time but in hindsight it was terrible security practice.
Why would they make a github repo with this exploit for a seemingly not-fixed bug? If you're a security researcher it shouldn't be that hard for you to replicate it, and if you're not, there's no reason for you to have access to an app that lets you easily MITM someone's tinder results.
Because if shit like this gets magically patched and no one gets hurt, most people will continue to not care and groups like Tindr can continue to be lazy and do shit like this.
I understand this might be a security issue, and I guess Checkmarx gets their name out. You can tell if someone swipped left or right on someone. However how is this information useful for someone?
The article says that it looks like profile images can be downloaded insecurely. So now you can snoop on what people are looking at. And liking. Opportunities for blackmail, doxxing, griefing, etc., abound.
Also, attacks don't have to exist in a vacuum. As part of a larger suite of attacks, it appears to be a useful tool that can help build up a profile of somebody.
The answer when it comes to hacking is almost never "why". Rather, it's usually "why not".
disclaimer: let's have https everywhere and all that.
That said, you've described the 'why not'. All of the attacks you've identified are targeted and require significant investment. This opening doesn't allow for economically profitable mass-collection and exploitation (like say, grabbing credit cards or hacking into email accounts).
That's a bad line of thinking. Privacy doesn't work this way: there are a lot of things that you do every day and keep private even though they cannot easily be exploited. It's human nature.
There is the issue of the TLS connection of images fetched in the app (other things too?) being tied to a domain without a valid cert. In other words, you could MITM the TLS session between the wifi user and the Tindr servers for AT LEAST photos within the app, perhaps more (authentication? other app behavior?).
Because the app isn't strictly enforcing the validation of the cert of the photos domain it's trying to reach to pull photos, your MITM server is free to serve to the app as if it was the server on the Internet.
Personally, I'm resisting the urge to MITM a coffee shop wireless AP and replacing all profile image requests with a request for a random picture of Donald Trump.
The guy spying on your Tinder searches in Starbucks is kind of late to the party. Presumably you have paid for Tinder somehow and therefore Paypal or your other payment provider have sold that data point to advertisers already, perhaps Facebook have bought that too.
Then Tinder is owned by the same company that owns all of the other dating websites, so there is a whole tier of people there that have your data.
Then there are the adverts - I assume Tinder has them or could have them - so again you have another 27 trackers on the advertising side of things.
Of course there is nothing cloak and dagger about this, the T+C's explain it all and a click on an agree button has been made along the way.
Luckily we have too much data to deal with and whatever weird clumsy stuff said in messaging won't haunt you for life, e.g. adverts for some alternative lifestyle won't haunt you in the day job.
I have heard that 'dick pics' are a problem with dating, guys don't seem to get the message. However, if they had a box in the agreement that said 'all dick pics and naked chest shots in front of cars will be shared with your bank, Facebook, advertisers and third party marketing randoms' then that might change things a bit.
Firesheep was a 2010 invention. Once that happened, anyone could chill in a coffeeshop and watch the http traffic whizz by.
... as much as we want to excoriate Tinder, it's been reasonable for most of their users to have 'i dgaf' as their threat model.