409

Last year I built the platform 'Tindex'. It was an index of Tinder profiles so people could search by name, gender and age.

We scraped the Tinder profiles through a Tinder API which was discontinued not long ago, but weird enough it was still intact and one of my friends who was also working on it found out how to get api keys (somewhere in network tab at Tinder Online).

Except name, gender and age we also got 3 distances so we could calculate each users' location, then save the location each 15 minutes and put the coordinates on a map so users of Tindex could easily see the current location of a specific Tinder user.

Fun note: we also got the Spotify data of each Tinder user, so we could actually know on which time and which location a user listened to a specific Spotify track.

Later on we started building it out: A chatbot which connected to Tinder so Tindex users could automatically send a pick up line to their new matches (Was kinda buggy, sometimes it sent 3 pick up lines at ones).

Right when we started building a revenue model we stopped the entire project because a friend of ours had found out that we basically violated almost all terms.

Was a great project, learned a lot from it and actually had me thinking twice or more about online dating platforms.

Below an image of the user overview design I prototyped. The data is mock-data.

Comments
  • 146
    Woah.
    Project looked really good and shows exactly how fucked up (as in "leaking" all information) it is.

    It would be interesting to write an article on the whole thing. I'm sure lots of people would read that!
  • 119
    Write an article about this.

    Now.
  • 38
    and how many matches for your self did you fabricate? 😄
  • 31
    @010001111 if he want tinder lawyers to hunt him he totaly should.
  • 26
    @heyheni Can't remember how many but we scraped at least all users from the Netherlands, Belgium and Germany at the time :')
  • 47
    Sounds like a data leak if you you ask me....
  • 33
    I don’t know how to feel about this. The work you have done is amazing, and thank god you didn’t publish the platform. On the other hand it does sound like a major privacy issue that should get publicity.
  • 8
    Love it. I worked at Match for a short contract. This would have put their underwear in some serious knots!
  • 17
    @wiwe2210 @620hun if you think about it: we could scrape the data from either the api or the website, the api is just a tool. So doesn't this mean the data is public to everyone?
  • 12
    @localjoost yep, that’s the problem. It shouldn’t be available through API. This is why Facebook and Instagram basically killed their public API after the CA scandal.
  • 10
    So you did not even though that all that could be against the terms of use? 🤔
  • 18
    If you're jobless, send the project to Tinder HQ and they probably employ you as their security engineer
    j/k
  • 14
    @localjoost I've never been more grateful to not be registered there.
  • 15
    Thumbs up on the timing 👍
    Scare off the already lonely coders from Tinder just before before Valentines 😂
  • 10
    @620hun well but that's kinda retarded cause there's always an API... It might not be public but as long as you can use the app/webapp in any way you can always extract the keys and scrape...
  • 3
    @eval Well, yeah, but the scope will be limited. If you can only scrape stuff that you’d see in the app anyway it’s fine. That was clearly not my (or anyone’s) issue.
  • 5
    I wanted to do the same but didnt find the API :(. 6tin for example is an app for windows where you can move your location (which as far as I know, is only possible with the "premium" subscription). They must have some deal with tinder I must guess, but It's fun to watch how easily you can consume a public API and get something done with it (even if its bad)
  • 15
    "we basically violated almost all terms."

    No shit... Why the hell was all that info made so easily available O_O
  • 5
    @bennythecat96 It's not a public API, the api isn't supposed to be there anymore. Tinder uses it for gotinder.com I think. Otherwise they would've taken it offline.
  • 10
    Does it really matter if you violate any terms? They are not law, so the only consequence could be that your contract with Tinder could be ended... which is pointless if you have no profile and with that no contract.

    I am very sure that they couldn't have forced you to stop using a public and documented API.
  • 7
    About the data being public anyway: I'm no lawyer, so this ain't legal advice. I do know the laws in Switzerland a bit howerver. As far as I know at least here it doesn't matterbif it is/was "publicly" available to technical users, it's about if you did or didn't give access to a new group of users.

    Abstract example: your university/employer has a contract with a publisher for some books or whatever which allow all employees/students to read them as pdf. If you now go on and share that pdf on your website or socialmedia, you've given other users access to that data.
    At least in switzerland it would probably be the same. Before that data was only available to "power users", like people who know how to scrape a website and/or use an api. With a public accessable website you'd expose this data to a non technical audience...

    That's just my two cents...
  • 7
    If the API wasn't supposed to still exist, Tinder made a boo boo and should publicly confirm the leak because they presumably updated their privacy policy to reflect less public data.

    I can't believe you built an entire application with that much logic and scraping and didn't think to read the TOS...

    Violating TOS can mean legal issues and being shut down from current and future use of their service/API. This is true for any service.
  • 6
    That is amazing and scary in the same time. Post an article.
  • 7
    That's some fucked up shit son. Good job
  • 8
    I'd definitely like to read an article on that. If at all possible, post it to Tinder's security mailing list in a less wide scope (this would definitely qualify as user exploitation) and hope that they don't check their API log (well they probably would). Maybe best to report anonymously. How much personal information about you did those API requests hold (don't wanna know, just think about it and make an appropriate conclusion)? If it's anonymous enough that you'd say that their security chaps wouldn't be able to trace it down to you even if they wanted to (which should always be assumed, experienced that firsthand), maybe consider reporting it. Anonymous nature wouldn't allow for bug bounty unless you decide to donate it though. Either way, really interesting story! Hopefully my Tinder data wasn't in it, but I don't have high hopes for it, haha. At least I've got the fact that I only turned on location (because apparently that's mandatory) when I opened Tinder going for me 😅
  • 4
    Make a paper out of that! Not only an article. Break all the stuff you can break a write a report on what you could or could not do. From what you've written there's quite a lot of data leakage.
  • 3
    I'm not on Tinder... should I still be worried? Lol as much interesting this sounded, it's still scary. Kudos for stopping the project and not being greedy after realising that you guys violated the terms. 👍
  • 3
    Did you get any dates out of it though ?
  • 8
    This is a privacy issue and should be right now reported to tinder so they fucking fix it. I don't use Tinder but I hate to see huge platform get so easily breached. Gods work man. Report it tho.
  • 8
    When you search Tindex on DuckDuckGo...
  • 5
    I remember Ashley Madison data breach analyses proved that most of woman on their portal are bots and only 5% are real.
    I saw some bots working on social portals but how is it compared to dating platforms?
  • 16
    The Verge
    "Over 20 million Tinder accounts leaked in Tindex scandal."

    Buzzfeed
    "Tindex: find out if your ex's Tinder account data has been leaked!"

    New York Times
    "EU sues tinder for 300 million euros over tindex data breach"

    Techcrunch
    "Chinese venture capital takes over Tinder stock after the €300 mio GDPR fine."

    😆
  • 2
    @heyheni Hahahaha love it, thanks for this 😁
  • 3
    @heyheni this is perfect. Lol
  • 2
    Lekker bezig
  • 2
    Do a medium post, let them burn
  • 3
    So.. would the worlds best dating site actually have an API so we could get all the data we wanted ?

    Save writing your own applications if someone else does it for you..

    Or is there some reason(s) why no one does that ?
  • 7
    I want to see your code 😐
  • 3
    @hobyrr yes for research purposes and stuff... 🎓🙈🤞
  • 4
    Crazy shit. Well done how you worked with the data to generate even more data.
    I agree with the others though, you should bring this to their attention.
  • 7
    i don't want to kill the mood here but this is the same-old-programmers-are-lazy-to-secure-the-app story + a bit of reverse api engineering and it's not worth more than a nicely wrapped article.

    while poking around i found out that i can freely book the "premium" seats for ryanair/wizzair (and maybe many more companies might have the same bug 😅) and this just the tip of the iceberg, but you don't see me bragging about it... oh wait... 🙈
  • 2
    @pitzyrulz 😲 are you a hacker? can you hack facebook?
  • 4
    @heyheni i don't hack and tell 😅
  • 2
  • 2
    @heyheni “ case study” 😁
  • 2
    Your story should be covered by some great podcast, including all dirty details 🤔
  • 1
    Report to tinder and spotify, so hopefully you get bounty from them. Then blog about it
  • 2
    Maybe grindex next? I imagine they have a few open backdoors.
  • 1
    @fullslack Grindex as in grind your ex?
  • 2
    @heyheni grinder. Thought i saw you there
  • 1
    As long as I was reading I was like "Is all this allowed by Tinder? Or is it even legal?"
    The conclusion answered to my thoughts
Your Job Suck?
Get a Better Job
Add Comment