image

Cybersecurity

Tantan no match for Tinder: China’s rival to the popular dating app exposes privacy risk with photos, chatlogs, location all accessible

Hong Kong based expert uses free Wifi and developer’s program to demonstrate how easy it is to hack TanTan, the Chinese dating app used by millions

PUBLISHED : Tuesday, 17 November, 2015, 1:14pm
UPDATED : Wednesday, 18 November, 2015, 6:05am

A Tinder-style Chinese dating app with millions of users is leaving its members’ privacy dangerously unprotected, according to a Hong Kong technology expert.

Using just free Wifi and an Apple developer’s program, cybersecurity expert Larry Salibra said he could access Tantan users’ photos, details, chat logs and even their location.

Tantan’s chief executive and co-founder Yu Wang said while security complaints weren’t as bad as suggested, he admitted changes needed to be made to protect users’ privacy on his app.

The questions over the app’s privacy come just four months after dating website Ashley Madison, which targeted married people, suffered a massive leak of user information that has been linked to some suicides.

“I found they weren’t encrypting anything, including your password … You can see anything the clients enter into the app and anything the client sends back to the server: their phone number, their password, their location coordinates,” Salibra said.

Tantan, which translates as ‘scouting around’, was founded in July 2014, using a similar interface to popular dating app Tinder, and had drawn about two million users in one year, according to the company.

READ MORE: Blackmailers extort bitcoin from scared Ashley Madison users after hack

Salibra said he had been impressed by the app’s design when he first downloaded it, but he immediately found problems.

“If you can imagine, hypothetically, that I am a bad person and I want to blackmail some rich person’s daughter, it would be pretty easy to get [that information],” he said.

“If you wanted to do bad things to people or steal someone’s identity… it’s not that difficult.”

Provided you were monitoring the conversation in real time, you could even read the chat logs of people as they flirted on the app, Salibra said.

“I reached out to [Tantan] on Weibo, I emailed them, then I emailed a few people who worked inside the company,” Salibra said.

“I didn’t hear any response. I didn’t want to compromise anyone’s data so I wanted to make sure they had time to address the issue.”

Salibra initially emailed the company with his concerns as early as March 2015.

Following public interest and requests from the South China Morning Post on Monday, Tantan chief executive Yu said they were looking to release a version fixing these issues within two weeks.

“[To] not have HTTPS/SSL [encryption] really is a bad idea in general and we are working on releasing it as soon as possible,” Yu said, in an email to Salibra seen by the Post .

But Yu said the app’s privacy issues were less severe than the full-scale hack which occurred at Ashley Madison, adding tracking of a user’s location would be difficult.

“We have also taken special steps to prevent others from being able to pinpoint your location through triangulation of the data you get from the API,” he said.