Vikram Kulkarni

Vikram has a MS in Information Security from Indiana University and a BS in computer engineering from India. His main focus is on Mobile and Web application security. His research is mainly present in Android and IOS security. At NetSPI, he has worked on Web, Network, Mobile and thick client penetration tests. Vikram currently holds the CCNA certificate.
More by Vikram Kulkarni
WP_Query Object
(
    [query] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "21"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "21"
                            [compare] => LIKE
                        )

                )

        )

    [query_vars] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "21"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "21"
                            [compare] => LIKE
                        )

                )

            [error] => 
            [m] => 
            [p] => 0
            [post_parent] => 
            [subpost] => 
            [subpost_id] => 
            [attachment] => 
            [attachment_id] => 0
            [name] => 
            [pagename] => 
            [page_id] => 0
            [second] => 
            [minute] => 
            [hour] => 
            [day] => 0
            [monthnum] => 0
            [year] => 0
            [w] => 0
            [category_name] => 
            [tag] => 
            [cat] => 
            [tag_id] => 
            [author] => 
            [author_name] => 
            [feed] => 
            [tb] => 
            [paged] => 0
            [meta_key] => 
            [meta_value] => 
            [preview] => 
            [s] => 
            [sentence] => 
            [title] => 
            [fields] => 
            [menu_order] => 
            [embed] => 
            [category__in] => Array
                (
                )

            [category__not_in] => Array
                (
                )

            [category__and] => Array
                (
                )

            [post__in] => Array
                (
                )

            [post__not_in] => Array
                (
                )

            [post_name__in] => Array
                (
                )

            [tag__in] => Array
                (
                )

            [tag__not_in] => Array
                (
                )

            [tag__and] => Array
                (
                )

            [tag_slug__in] => Array
                (
                )

            [tag_slug__and] => Array
                (
                )

            [post_parent__in] => Array
                (
                )

            [post_parent__not_in] => Array
                (
                )

            [author__in] => Array
                (
                )

            [author__not_in] => Array
                (
                )

            [search_columns] => Array
                (
                )

            [ignore_sticky_posts] => 
            [suppress_filters] => 
            [cache_results] => 1
            [update_post_term_cache] => 1
            [update_menu_item_cache] => 
            [lazy_load_term_meta] => 1
            [update_post_meta_cache] => 1
            [nopaging] => 1
            [comments_per_page] => 50
            [no_found_rows] => 
            [order] => DESC
        )

    [tax_query] => WP_Tax_Query Object
        (
            [queries] => Array
                (
                )

            [relation] => AND
            [table_aliases:protected] => Array
                (
                )

            [queried_terms] => Array
                (
                )

            [primary_table] => wp_posts
            [primary_id_column] => ID
        )

    [meta_query] => WP_Meta_Query Object
        (
            [queries] => Array
                (
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "21"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "21"
                            [compare] => LIKE
                        )

                    [relation] => OR
                )

            [relation] => OR
            [meta_table] => wp_postmeta
            [meta_id_column] => post_id
            [primary_table] => wp_posts
            [primary_id_column] => ID
            [table_aliases:protected] => Array
                (
                    [0] => wp_postmeta
                )

            [clauses:protected] => Array
                (
                    [wp_postmeta] => Array
                        (
                            [key] => new_authors
                            [value] => "21"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                    [wp_postmeta-1] => Array
                        (
                            [key] => new_presenters
                            [value] => "21"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                )

            [has_or_relation:protected] => 1
        )

    [date_query] => 
    [request] => 
					SELECT   wp_posts.ID
					FROM wp_posts  INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id )
					WHERE 1=1  AND ( 
  ( wp_postmeta.meta_key = 'new_authors' AND wp_postmeta.meta_value LIKE '{0b38c5c2ce8f78787f375dec6804c820a8e8f2a66fb969f7fb6cf288b1595af6}\"21\"{0b38c5c2ce8f78787f375dec6804c820a8e8f2a66fb969f7fb6cf288b1595af6}' ) 
  OR 
  ( wp_postmeta.meta_key = 'new_presenters' AND wp_postmeta.meta_value LIKE '{0b38c5c2ce8f78787f375dec6804c820a8e8f2a66fb969f7fb6cf288b1595af6}\"21\"{0b38c5c2ce8f78787f375dec6804c820a8e8f2a66fb969f7fb6cf288b1595af6}' )
) AND wp_posts.post_type IN ('post', 'webinars') AND ((wp_posts.post_status = 'publish'))
					GROUP BY wp_posts.ID
					ORDER BY wp_posts.post_date DESC
					
				
    [posts] => Array
        (
            [0] => WP_Post Object
                (
                    [ID] => 6202
                    [post_author] => 21
                    [post_date] => 2016-04-04 07:00:15
                    [post_date_gmt] => 2016-04-04 07:00:15
                    [post_content] => Tinder is one of the most popular social dating applications.

For the people who do not know about Tinder, Tinder has launched Tinder Plus which requires a monthly paid subscription of $10 for people in the US under thirty years old, and $20 per month for users more than thirty years old. The paid version allows users to have unlimited use, while the free version only allows around 50-60 "swipes" during one session of swiping. After that, it prompts the user to pay for Tinder Plus or wait for around 12 hours. Tinder syncs with user’s Facebook account to pull photos, age, and name of the user. However, Tinder launched location based payment fees to promote the usage in other countries like India.

The location based payment option of Tinder can be exploited to use Tinder in the US, using a promotional offer of $3 per month instead of the usual $10 per month charge. The impact of this bypass can save a user $84 a year. I could not find a good statistic survey to know the number of user’s active in USA region. One source states that around 24% of 10 million users are using Tinder Plus paid app. You can do the math about the total loss to the company if all of those users were able to exploit this flaw to save $84 a year.

Prerequisites

This would require a Facebook account, a mobile device, and an India phone number to perform this bypass. A quick Google search located a site where you can purchase an India number for $15-$18 a month. Personally, I have not used this site - I found the vulnerability when I was on vacation in India. I had registered for a local India number. I tried to reproduce the bypass when I came back in USA by creating a dummy Facebook account and using a friends help in India to forward me the registration code received on his cell phone. Here are the steps to reproduce the bypass:
  1. Create a Facebook account or use an existing Facebook account and make sure the user’s age is less than 30.
  2. Download the Location Spoofer application.
  3. Modify the GPS location using Location Spoofer to a city like Mumbai (18.9750° N, 72.8258° E) in India for 1 hour or more.
  4. Download and install the Tinder dating application.
  5. Login into Tinder and allow Tinder to access your Facebook account information.
  6. Tinder will ask for a phone number and country. Select India and use the Indian phone number.
  7. Tinder will send a text message with the code to the Indian phone number to verify the account. Use the code to verify account.
  8. Swipe right until you reach a payment prompt. Tada!! The bypass works. Pay $3 for the monthly subscription and enjoy the Tinder Plus services.
Tinder depends on the authenticity of third party sources like Facebook and an Indian phone number to provide information about the user. I did use the help of a friend in India to get the 6-digit verification code. Although a new sim card/number can be brought in India for less than $5 and used to register for Tinder or it can be purchased online. Here's a demonstration of the hack: [video width="304" height="482" mp4="https://www.netspi.com/wp-content/uploads/2016/04/Tinder_Hack.mp4"][/video] Note: This was encountered in March 2015 and reported to Tinder. We were not able to get any response back from Tinder. This vulnerability has been fixed now. [post_title] => Tinder Flaw: Location-Based Application Payment Logic Bypass [post_excerpt] => The location based payment option of Tinder can be abused to use Tinder in the US, using a promotional offer of $3 per month instead of the usual $10 per month charge... [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => tinder-bypasses-logic-ways-one [to_ping] => [pinged] => [post_modified] => 2023-03-16 09:30:05 [post_modified_gmt] => 2023-03-16 14:30:05 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=6202 [menu_order] => 658 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 1109 [post_author] => 21 [post_date] => 2014-08-04 07:00:40 [post_date_gmt] => 2014-08-04 07:00:40 [post_content] =>

In this blog, we will go through proxying an iOS application which uses native web sockets to interact with a web server. The blog will help penetration testers who are trying to intercept sensitive data that is being sent by an iOS application in a non-trivial manner over the network because some applications do not respect the iOS proxy settings.

During a recent iOS application penetration test, I encountered an iOS application that was sending data to port 20xx on a web server. This application traffic could not be proxied by changing the iOS manual proxy settings located at (Settings -> Wi-Fi -> HTTP Proxy -> Manual) and forwarding the iDevice traffic to the proxy. One of the reasons that the normal proxying method might be failing is because it might be using some native websockets to interact with the web server instead of the normal UIWebView class. For more technical details of how websockets in native iOS can be configured, check out this elabs blog post.

There is a workaround to fix this problem. We can perform DNS spoofing to forward all the HTTP traffic for all of the ports through a MitM proxy like Burp. The blog is divided into three main steps.

  1. Sniff traffic using Wireshark to find out the port and IP of the webserver.
  2. Spoof the DNS for the iDevice to send all data to laptop.
  3. Start a proxy on the laptop to intercept traffic all traffic from iDevice after DNS spoofing.

Given below is a step by step approach to intercept Native Web Socket iOS application traffic.

  1. Create a wireless hot spot with your machine and connect the iDevice to the hotspot. [Note the machine needs to be connected to Ethernet or some other route out to the internet as the Wi-Fi interface will be used for the hotspot. Refer here for information on how to create a hotspot on a windows machine]
  2. Start a network sniffer (like Wireshark) and look for traffic going to any non-standard ports.
    1. Filter the traffic to look at the traffic going to the destination server IP (ip.dst== ip.ip.ip.ip)
    1. Note the port number where the traffic is being sent.
Vk Intercepting

Fig 1: Finding the non-standard port number where application sends Traffic.

  1. Start the Metasploit console to perform DNS spoofing and enter the following commands.
    1. Search fakedns
    2. use auxiliary/server/fakedns
    3. set SRVHOST = (IP address of laptop which is running the hotspot)
    4. set SRVPORT = 53, set TARGETACTION = BYPASS, set TARGETDOMAIN = www.apple.com (Note: by setting TARGETDOMAIN= www.apple.com, all the traffic except the traffic coming from apple.com will be spoofed)
    5. set targethost = (IP address of laptop which is running the hotspot)
Vk Intercepting

Fig 2: Configuring DNS server on the laptop using fakedns module in Metasploit.

  1. Configure Burp to listen on specific ports for the incoming traffic from iDevice and forward it to the appropriate port as follows:
    1. Go to Proxy'Options'Add; set 'bind port' to the port where the traffic needs to be sent (note: this is the non-standard tcp port number recorded in Wireshark)
    2. Listen on all interfaces
    3. Click Request Handling' Redirect to host: (Enter the domain name of the server)
    4. Request Handling ' Redirect to port: (Enter the corresponding port number)
    5. Click force use of SSL if the outgoing traffic is sent using https.
    6. Click ok and repeat the above steps for all the ports that the iOS application is explicitly sending HTTP application traffic to. In other words, every port will require a separate Proxy listener to be configured in burp.
Vk Intercepting

Fig 3: Configure incoming listener and redirect the iDevice traffic to appropriate IP and port to Server.

  1. Configure Proxy settings in iDevice:
    1. Click settings ' Wi-Fi 'Click on hotspot ' DHCP and set DNS = (IP of Laptop)
    2. Set HTTP Proxy to the IP address of the laptop and corresponding port in burp. (this is the normal setting to proxy standard HTTP traffic)
Vk Intercepting

Fig 4: Configure IP and DNS forwarding settings in the IOS device.

  1. Type "exploit" in the Metasploit console and you will see the application traffic been proxied for non-standard ports in burp.

This small tweak can be used to overcome the problem of proxying non-trivial iOS application traffic.

[post_title] => Intercepting Native iOS Application Traffic [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => intercepting-native-ios-application-traffic [to_ping] => [pinged] => [post_modified] => 2021-06-08 21:48:45 [post_modified_gmt] => 2021-06-08 21:48:45 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1109 [menu_order] => 705 [post_type] => post [post_mime_type] => [comment_count] => 2 [filter] => raw ) [2] => WP_Post Object ( [ID] => 1110 [post_author] => 21 [post_date] => 2014-07-28 07:00:54 [post_date_gmt] => 2014-07-28 07:00:54 [post_content] =>

Certain iOS applications check for the iOS version number of the device. Recently, during testing of a particular application, I encountered an iOS application that was checking for iOS version 7.1. If version 7.1 was not being used, the application would not install on the device and would throw an error.

This blog is divided into three parts:

  • Change version number value in SystemVersion.plist file
  • Change version number value in plist file present in iOS application ipa.
  • Use 'iOS-ssl-Kill switch' tool to bypass certificate validation.

Change version number value in SystemVersion.plist file

The version of the iOS device can be faked (on a jailbroken device) in two simple steps by changing the value in the SystemVersion.plist file:

  1. SSH into a jailbroken device (or use ifile, available on cydia) to browse through the system folder.
  2. Change the 'ProductVersion' value in the '/System/Library/CoreServices/SystemVersion.plist' file to the desired iOS version.
Vk Bypass Ios

Fig 1: iOS version can be faked by changing the value of ProductVersion key.

This will change the version number displayed in version tab located in 'Settings/General/about' in the iOS device. Although this trick might work on some of the applications that check for the value saved in the '/System/Library/CoreServices/SystemVersion.plist' file, this trick won't work on every application. If it fails, we can use the second method given below.

Change version number value in plist file present in iOS application ipa.

If you are unsure about the method that the application is using to look for the version number, then we can use another simple trick to change the value in the iOS version. The version check in an IPA can be faked in three simple steps.

  1. Rename the ipa to .zip file and extract the folder.
  2. Find the info.plist file located usually in Payloadappname.app and change the string 'minimum ios version' to the version you need
  3. Zip the file again and change it to ipa. [Note: Some of the applications can also use other plist files instead of the info.plist file to check for minimum version]
Vk Bypass Ios

Fig 2: MinimumOSVersion requirement defined in info.plist file in the IOS application.

Manipulating any file inside the IPA will break the signature. So, to fix this problem, the IPA would need to be resigned. We can use the tool given here on Christoph Ketzler's blog.

Some applications also perform the version check during the installation process. When a user tries to install the application using iTunes, or xcode using the IPA, the IPA checks for the version of iOS running on that device and if the version is lower than the minimum required version it will throw an error similar to the one given below.

Vk Bypass Ios

Fig 3: Error message while installing the application using xcode.

The version check performed during the installation stage can be bypassed using this simple trick:

  1. Rename the .ipa application package to .zip and then extract the .app folder.
  2. Copy the .app folder to the path where iOS applications are installed (/root/application) using an SFTP client like WinSCP.
  3. SSH into the device and browse to the folder where the IPA is installed, then change the permission of the .app folder to executable (chmod -R 755 or chmod -R 777). Alternately you can change the permissions by right clicking the .app in WinSCP, change properties and check all the read, write, and execute permissions.
  4. Restart the iOS device and the application will be successfully installed.
Vk Bypass Ios

Fig 4: Changing permissions of the IPA to executable.

iOS Certification validation bypass

Some applications perform certification validation. Certification validation is performed to prevent application traffic from being proxied using a MitM proxy like Burp. Typically the application has a client certificate hard coded into the binary (i.e. the application itself). The server checks for this client certificate and if it does not match then it throws a certificate validation error. Refer to my co-worker Steve Kern's blog on Certificate Pinning in a Mobile Application for further details.

Sometimes it is difficult to extract the certificate from the application and install it into the proxy. An alternative approach is to use a tool developed by iSEC Partners called ios-ssl-kill-switch. This tool hooks into the Secure Transport API, which is the lowest level of API, and disables the check for certificate validation. Most certificate validation techniques use NSURLConnection, which is a higher level API call to validate client certificates. More technical details can be found here.

Bypassing Certificate validation can be performed in the following steps:

  1. Install the tool kill-ssl-switch
  2. Make sure the dependencies given on the installation page are installed prior to the installation of the software.
  3. Restart the device or restart SpringBoard using following command 'killall -HUP SpringBoard'
  4. Enable the Disable Certificate Validation Option in 'Settings/SSL Kill Switch'
  5. Restart the application and confirm that a MitM proxy can intercept the traffic successfully.

Certificate pinning can be bypassed by hooking into the API which makes the check for certificate validation and return a true value for certificate validated all the time. Mobilesubstrate is a useful framework for writing tweaks for disabling certificate pinning checks. There are few other handy tools as well, like 'Trustme' by Intrepidusgroup and 'Snoop-it' by Nesolabs to disable Certificate pinning.

Vk Bypass Ios

Fig 5: Turn off certificate validation using SSL Kill Switch.

[post_title] => Bypass iOS Version Check and Certification Validation [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => bypass-ios-version-check-and-certification-validation [to_ping] => [pinged] => [post_modified] => 2021-06-08 21:48:48 [post_modified_gmt] => 2021-06-08 21:48:48 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1110 [menu_order] => 706 [post_type] => post [post_mime_type] => [comment_count] => 1 [filter] => raw ) [3] => WP_Post Object ( [ID] => 1136 [post_author] => 21 [post_date] => 2013-12-13 07:00:23 [post_date_gmt] => 2013-12-13 07:00:23 [post_content] => Analyzing iOS application files to manipulate objective C functions is not a trivial process. The most common way to perform reverse engineering is by class dumping ipa files to discover all the class names and methods present in an application. This can be done using Cycript. Cycript is present within Cydia, and Cydia is installed by default when we jailbreak an iOS device. A common way to manipulate the run time environment is by calling methods present within an application. Any process can be hooked with Cycript using the following steps:
  • Attach to the process using Cycript
  • Print all the method and class names
  • Replacing existing Objective-C methods using MobileSubstrate framework.
A more technical and step by step process to perform the above process is given on the iPhone Dev Wiki. The most difficult and time consuming part is recognizing the classes and the objects used to call required methods. The traditional approach is to perform a class dump of the binary to get the methods that can be invoked. We can use 'Crackulous' to dump out the unencrypted version of the application and use 'class-dump-z' to spit out the method names present in the _OBJC segment. There are also a couple of tools (iNalyzer and Snoop-it) that save a lot of time and perform reverse engineering and function hooking for the entire application. I have analyzed the TWCSportsNet application in this blog. The reason why I choose this application is because it has two security controls implemented. It does not work if the following conditions are not met:
  1. The device is a non jailbroken device.
  2. The live streaming option is not available for any other region except Southern California and Nevada.
We will bypass those restrictions by using two modern tools called iNalyzer and Snoop-it.

iNalyzer:

iNalyzer is a handy tool developed by AppSec Labs. It creates an entire mapping of the application and dumps outs a doxygen script which is used to create an html page that shows all the method and class names. It also creates a graphical view of classes and functions using Graphviz. In order to use this, we have to download a client side application on a jailbroken device. When the application is started, it will create a web listener on port 5544. We can connect to the port through our laptop by visiting https://iphoneIPaddress:5544. Next we point iNalyzer to the application that we want to reverse engineer. iNalyzer will extract the entire application and create a zip file. After unzipping the file, there is a dox.template file present in appname/ Payload/Doxygen/ folder. This file can be given as an input to Doxygen and it will output an html file that consists of the mapping of the entire application.

Limits of iNalyzer:

It does not let us dynamically analyze the work flow of the application. For example, if we click a send button on an iOS application, we do not get to see the classes and the various methods that will be invoked. Vk Ios Fig 1: Showing iNalyzer output for the TWCSportsNet application. iNalyzer helps in interacting with applications by dynamically and invoking methods. It uses Cycript as the base to do so. However, I was not able to perform any dynamic interaction with the application using iNalyzer. I used a different tool called Snoop-It to interact and invoke different methods.

Snoop-it

Snoop-it is an amazing tool developed by Neso Labs. It is used to perform comprehensive dynamic analysis. We can trace and manipulate internal state and the processing logic of iOS application. We can install Snoop-it by adding the https://repo.nesolabs.de/ repository via Cydia on a Jailbroken device. Snoop-it has various features within it such as avoiding detection of a jailbroken iOS device. Most of the applications detect jailbroken devices by looking for common paths like the Cydia installation directory (/Applications/Cydia.app) or /private/var/stash. Normal methodology without using any new tools like iNalyzer or Snoop-it would consist of identifying the functionality which detects jailbroken devices, and then performs function hooking using MobileSubstrate tweak.

Bypass jailbreak detection:

Vk Ios Fig. 2: Before and After using Snoop-It

Analyzing Objective-C Classes.

Vk Ios Fig 3: BestEffortLocation method contains my actual latitude and longitude When I looked at the class LocationServicesManager there is a BestEffortLocation method which stores my current location. Vk Ios Fig 4: Function which sets a Boolean flag depending on user's current location.

Monitor application activity via Method Tracing.

The location has been updated and sent to the server through an HTTP request which sends my current latitude and longitude. We can trace the calls and corresponding methods when any kind of activity is performed by enabling the Method Tracing functionality. Vk Ios Fig 5: Longitude and latitude been send via footprint service.

Intercept the request and change the location via Burp.

Vk Ios Fig 6: Intercepted and modified request using burp. Vk Ios Fig. 7: Before and After changing the location The request can be intercepted and by changing the longitude and latitude to a location in Los Angeles, we can view live television and bypass the location restriction. Although this could be performed directly via manipulation of parameters via a proxy, Snoop-it and iNalyzer gives us an in-depth view about the inner functionality of the application.

Spoof location and Fake UDID, Mac address of the device.

Vk Ios Fig 8: Fake location and fake UDID. There are various other functionalities like monitoring the file system, checking out stored values in keychains and looking at the network traffic which can come in handy to save time during penetration testing of iOS applications.

Conclusion:

To conclude, Snoop-it and iNalyzer make reverse engineering fun and less time consuming. It gives a gray box approach to penetration testing of iOS applications.

References:

[post_title] => Reverse Engineering iOS Applications in a Fun Way [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => reverse-engineering-ios-applications-in-a-fun-way [to_ping] => [pinged] => [post_modified] => 2021-06-08 21:49:23 [post_modified_gmt] => 2021-06-08 21:49:23 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1136 [menu_order] => 728 [post_type] => post [post_mime_type] => [comment_count] => 2 [filter] => raw ) ) [post_count] => 4 [current_post] => -1 [before_loop] => 1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 6202 [post_author] => 21 [post_date] => 2016-04-04 07:00:15 [post_date_gmt] => 2016-04-04 07:00:15 [post_content] => Tinder is one of the most popular social dating applications. For the people who do not know about Tinder, Tinder has launched Tinder Plus which requires a monthly paid subscription of $10 for people in the US under thirty years old, and $20 per month for users more than thirty years old. The paid version allows users to have unlimited use, while the free version only allows around 50-60 "swipes" during one session of swiping. After that, it prompts the user to pay for Tinder Plus or wait for around 12 hours. Tinder syncs with user’s Facebook account to pull photos, age, and name of the user. However, Tinder launched location based payment fees to promote the usage in other countries like India. The location based payment option of Tinder can be exploited to use Tinder in the US, using a promotional offer of $3 per month instead of the usual $10 per month charge. The impact of this bypass can save a user $84 a year. I could not find a good statistic survey to know the number of user’s active in USA region. One source states that around 24% of 10 million users are using Tinder Plus paid app. You can do the math about the total loss to the company if all of those users were able to exploit this flaw to save $84 a year.

Prerequisites

This would require a Facebook account, a mobile device, and an India phone number to perform this bypass. A quick Google search located a site where you can purchase an India number for $15-$18 a month. Personally, I have not used this site - I found the vulnerability when I was on vacation in India. I had registered for a local India number. I tried to reproduce the bypass when I came back in USA by creating a dummy Facebook account and using a friends help in India to forward me the registration code received on his cell phone. Here are the steps to reproduce the bypass:
  1. Create a Facebook account or use an existing Facebook account and make sure the user’s age is less than 30.
  2. Download the Location Spoofer application.
  3. Modify the GPS location using Location Spoofer to a city like Mumbai (18.9750° N, 72.8258° E) in India for 1 hour or more.
  4. Download and install the Tinder dating application.
  5. Login into Tinder and allow Tinder to access your Facebook account information.
  6. Tinder will ask for a phone number and country. Select India and use the Indian phone number.
  7. Tinder will send a text message with the code to the Indian phone number to verify the account. Use the code to verify account.
  8. Swipe right until you reach a payment prompt. Tada!! The bypass works. Pay $3 for the monthly subscription and enjoy the Tinder Plus services.
Tinder depends on the authenticity of third party sources like Facebook and an Indian phone number to provide information about the user. I did use the help of a friend in India to get the 6-digit verification code. Although a new sim card/number can be brought in India for less than $5 and used to register for Tinder or it can be purchased online. Here's a demonstration of the hack: [video width="304" height="482" mp4="https://www.netspi.com/wp-content/uploads/2016/04/Tinder_Hack.mp4"][/video] Note: This was encountered in March 2015 and reported to Tinder. We were not able to get any response back from Tinder. This vulnerability has been fixed now. [post_title] => Tinder Flaw: Location-Based Application Payment Logic Bypass [post_excerpt] => The location based payment option of Tinder can be abused to use Tinder in the US, using a promotional offer of $3 per month instead of the usual $10 per month charge... [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => tinder-bypasses-logic-ways-one [to_ping] => [pinged] => [post_modified] => 2023-03-16 09:30:05 [post_modified_gmt] => 2023-03-16 14:30:05 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=6202 [menu_order] => 658 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 4 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 8892be02772ee1cead2a700ecb56b2a7 [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [allow_query_attachment_by_filename:protected] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )

Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.

X