Most dating apps limit searches to specific areas, and you have to match with someone who also ‘swiped right’ or ‘liked’ you.That meant we also had to like profiles of potentially real people.We gauged this by sending messages between our test accounts with links to known bad sites.They arrived just fine and weren’t flagged as malicious.With a little bit of social engineering, it’s easy enough to dupe the user into clicking on a link.It can be as vanilla as a classic phishing page for the dating app itself or the network the attacker is sending them to.
We also employed a few house rules for our research—play hard to get, but be open-minded: The goal was to familiarize ourselves to the quirks of each online dating network.
We also had our fair share of cheesy pickup lines and honest, good people connecting with us, but we never got a targeted attack. Perhaps no campaigns were active on the online dating networks and areas we chose during our research.
This isn’t to say though that this couldn’t happen or isn’t happening—we know that it’s technically (and definitely) possible.
Tinder, for instance, retrieves the user’s information on Facebook and shows this in the Tinder profile without the user’s knowledge.
This data, which could’ve been private on Facebook, can be displayed to other users, malicious or otherwise.