I took advantage of an error in the code of a dating app

While using a Tinder-style dating app, one of those in which, after a mutual like, the application puts the people involved in contact, I noticed that, to promote their premium plan, they used blurred pictures to introduce you to the people who had pressed the Like button on your profile.

After having a couple of matches I noticed that the blurred pictures belonged to real accounts, that is, they were not a set of generic images or placeholders.

Example of the blur effect applied to photography

It sounded too obvious, so I opened my browser’s developer console and went to the CSS code to check my suspicions. They couldn’t possibly be making such a simple mistake—I thought—they’re protecting the identity of the photographs with a simple CSS filter: blur.

.hidden-image {
    filter: blur(4px);
}

Image processing of this dating app.

The actual images were served by the CDN of this app and then a filter was applied to hide them, so to find out who had liked you, you just had to remove the filter.

Unfortunately it was impossible to get any other data from the pictures or from the URL structure, API calls, or any other given; neither the name, nor the profile nor any other information was accessible other than the profile picture.

How to hide images in dating apps?

Certainly this was an architectural mistake, it is true that it is very easy to hide the images in the frontend, with CSS, you save disk space and avoid processing time in the backend, but a better option would have been to use a set of generic images for all accounts.

Another alternative would have been to generate a thumbnail (and other changes, like changing the format, example: webp) automatically every time a user updates their main profile image; it consumes a bit more space but keeps the real images safe and personalizes the experience for each user.

Exploiting the bug with a browser extension

To exploit the bug, I created a small Javascript script and integrated it into an extension to automate the process of unblocking them each time I entered the page.

This little oversight on the part of the developers lasted about two years. It has now been fixed so if you try to search for the bug on the main dating pages, you will no longer find it, and this is also the main reason that I decided to post about it

The application modified the code for its web version, leaving the rest of the UI almost intact and chose to create an obfuscated thumbnail for each account, but processing it from the backend, so that it is completely impossible to get the real image.

Were you taking advantage of this too? Bonus points if you know the name of the website.

The above is the detailed content of I took advantage of an error in the code of a dating app. For more information, please follow other related articles on the PHP Chinese website!