Prakash says that Facebook awarded him $US5000 ($6404) through its bug bounty program for finding the vulnerability.
"There was a vulnerability on Account Kit. which an attacker could have [used to] gained access to any user's Account Kit account just by using their phone number".
If you are interested in the specifics, Appsecure has published a run down of the steps hackers would have to take it they had wanted to exploit the vulnerabilities for themselves. But a compromised account could be used to wreak havoc for the legitimate user, matching them with people the wouldn't touch with a cattle prod and swiping left on people who would usually see them retire to their rooms for a bit of. ahem. self-reflection. Thus it was possible to create an authorization token belonging to a stranger from Account Kit, and then send it to Tinder's app to log in as that person. According to the latest flaw discovered by Appsecure, infiltrators can easily access your Tinder account with your own phone number. It is reliable, easy to use and gives the user a choice about how they want to sign up for apps. It allows users to like or dislike other users, and then proceed to a chat if both parties swiped right.
Ex-teammate Eddie House calls out LeBron for "quitting" during Finals
During the NBA All-Star weekend in Los Angeles , James began talking about his aspirations to win his fourth championship . But I can not fathom, as you pointed out, the Heat having enough on their roster to attract such a level of free agent.
Vulnerabilities in Tinder and in Facebook's Account Kit tool could have allowed a hacker to take over a user's Tinder account - gaining access to their private messages - using only the victim's phone number. Once in, the attacker could get hold of the user's access token of Account kit present in cookies (aks).
The vulnerability, which was down to a mix of two things: Tinder, and Tinder's use of Facebook's Account Kit, could have given malicious hackers or sour exes access to accounts. Please note that Account Kit was not verifying the mapping of the phone numbers with the OTPs.
"The attacker basically has full control over the victim's account now", Prakash wrote.