CVE-2018-6017

An attacker on the same Wi-Fi network as a Tinder user can sniff unencrypted photo traffic to view every profile image the user sees [ref_id=1]. Additionally, although other commands use HTTPS, the encrypted payloads are not padded, so the attacker can distinguish different command types by their size — enabling reconstruction of swipes, matches, and other actions [ref_id=1]. The attacker only needs network proximity (same Wi-Fi) and a tool like the proof-of-concept TinderDrift to automatically reconstruct the victim's session [ref_id=1].

The advisory does not specify exact function or file names. The vulnerability is in Tinder's iOS and Android apps, where photo data is transmitted without HTTPS encryption while other commands are HTTPS-encrypted but still leak size information [ref_id=1].

The advisory recommends that Tinder encrypt all photo traffic with HTTPS and add padding to all encrypted commands so that each command appears the same size or is indecipherable amid random data [ref_id=1]. No patch or code diff is provided in the bundle; the remediation guidance comes solely from the researcher write-up [ref_id=1].