Hacking Tinder for Fun and Profit
ydesouza.comOr just use this handy node package. I used it to auto like 22,000 people in LA, and went on dates for 9 days in a row. Let's just say I'm a bit exhausted.
https://www.npmjs.org/package/tinderbot
Edit: My tinder bot: https://github.com/deftx/loltinder
Thank you very much for this. 22k in LA? Wow. Looks like there are only about ~3-5k in Portland, OR.
This is the most useful dating advice I have ever seen on Hacker News.
I've been looking into packet tracing some mobile games that operate entirely online. I'm sure the mobile space is packed to the brim with unrestricted APIs... Thanks for the motivation/tips.
I don't think it's an "unrestricted" API if it uses https and you have to intercept and extract an auth token from a valid session. But I get what you mean -- it is fun to look under the covers and see how the big companies do things.
Yeah, I agree. MITM attacking your own auth token is not a great example of an "unrestricted" API. I'm thinking more POST requests to games where you can edit resources, change high score, etc. The kind of stuff you used to see all the time on web games, before popularity increased to the point where the developers had to take care of it.
I'd just imagine developers are a lot less wary about security holes because they assume that their client is "just" a smartphone and not a rooted packet sniffer.
Oh they absolutely are. If you want a kick, look at snapchat's headers :)
You can combine with an Android emulator (to spoof GPS location), and a fake facebook to be literally anybody, anywhere, and see who likes you. While it's certainly not the intended use of the app, A/B testing your appearance to different regions is not out of the question.
You can also send your GPS location through the API.
A buddy of mine did almost exactly the same thing a few months back. Here is a link to that http://blog.venkatesh.ca/automating-tinder/
Here is a cached version since the response time seems quite high to me: http://webcache.googleusercontent.com/search?q=cache:EqfLajb...
Is it possible to mitigate this kind of thing by using certificate pinning?
How would that help? The client doesn't need to trust anything from the server, just firehose likes back at it.
Even if you were for some reason using client certificates, you'd just have to rip apart the Tinder APK to get the cert and you're done.
By pinning the cert, the inspection of the protocol wouldn't have been possible the first place, since the app would reject fiddler's SSL cert. The tinder APK would only contain the information needed to verify the cert, not generate a valid one. If this wasn't the case, SSL would be useless.
Then you crack the app and bypass the auth check. App continues to talk to server, you continue to document the api. Or hook a debugger into the app and watch what network calls it makes. The only real solution would be to do sanity checks on the server.