Hacking Tinder for Fun and Profit (opens in new tab)

(ydesouza.com)

39 pointsydesouza11y ago15 comments

15 comments

Or just use this handy node package. I used it to auto like 22,000 people in LA, and went on dates for 9 days in a row. Let's just say I'm a bit exhausted.

https://www.npmjs.org/package/tinderbot

Edit: My tinder bot: https://github.com/deftx/loltinder

kilroy12311y ago

Thank you very much for this. 22k in LA? Wow. Looks like there are only about ~3-5k in Portland, OR.

dylangeorge11y ago

This is the most useful dating advice I have ever seen on Hacker News.

crazypyro11y ago

I've been looking into packet tracing some mobile games that operate entirely online. I'm sure the mobile space is packed to the brim with unrestricted APIs... Thanks for the motivation/tips.

robterrell11y ago

I don't think it's an "unrestricted" API if it uses https and you have to intercept and extract an auth token from a valid session. But I get what you mean -- it is fun to look under the covers and see how the big companies do things.

crazypyro11y ago

Yeah, I agree. MITM attacking your own auth token is not a great example of an "unrestricted" API. I'm thinking more POST requests to games where you can edit resources, change high score, etc. The kind of stuff you used to see all the time on web games, before popularity increased to the point where the developers had to take care of it.

I'd just imagine developers are a lot less wary about security holes because they assume that their client is "just" a smartphone and not a rooted packet sniffer.

timtamboy6311y ago

Oh they absolutely are. If you want a kick, look at snapchat's headers :)

cheepin11y ago

You can combine with an Android emulator (to spoof GPS location), and a fake facebook to be literally anybody, anywhere, and see who likes you. While it's certainly not the intended use of the app, A/B testing your appearance to different regions is not out of the question.

dx410011y ago

You can also send your GPS location through the API.

oftheloop11y ago

A buddy of mine did almost exactly the same thing a few months back. Here is a link to that http://blog.venkatesh.ca/automating-tinder/

denwer11y ago

Here is a cached version since the response time seems quite high to me: http://webcache.googleusercontent.com/search?q=cache:EqfLajb...

fernandotakai11y ago

Is it possible to mitigate this kind of thing by using certificate pinning?

eropple11y ago

How would that help? The client doesn't need to trust anything from the server, just firehose likes back at it.

Even if you were for some reason using client certificates, you'd just have to rip apart the Tinder APK to get the cert and you're done.

cmartin12311y ago

By pinning the cert, the inspection of the protocol wouldn't have been possible the first place, since the app would reject fiddler's SSL cert. The tinder APK would only contain the information needed to verify the cert, not generate a valid one. If this wasn't the case, SSL would be useless.

1 more reply

j / k navigate · click thread line to collapse

15 comments

dx410011y ago

Or just use this handy node package. I used it to auto like 22,000 people in LA, and went on dates for 9 days in a row. Let's just say I'm a bit exhausted.

https://www.npmjs.org/package/tinderbot

Edit: My tinder bot: https://github.com/deftx/loltinder

kilroy12311y ago

Thank you very much for this. 22k in LA? Wow. Looks like there are only about ~3-5k in Portland, OR.

dylangeorge11y ago

This is the most useful dating advice I have ever seen on Hacker News.

crazypyro11y ago

I've been looking into packet tracing some mobile games that operate entirely online. I'm sure the mobile space is packed to the brim with unrestricted APIs... Thanks for the motivation/tips.

robterrell11y ago

crazypyro11y ago

I'd just imagine developers are a lot less wary about security holes because they assume that their client is "just" a smartphone and not a rooted packet sniffer.

timtamboy6311y ago

Oh they absolutely are. If you want a kick, look at snapchat's headers :)

cheepin11y ago

dx410011y ago

You can also send your GPS location through the API.

oftheloop11y ago

A buddy of mine did almost exactly the same thing a few months back. Here is a link to that http://blog.venkatesh.ca/automating-tinder/

denwer11y ago

Here is a cached version since the response time seems quite high to me: http://webcache.googleusercontent.com/search?q=cache:EqfLajb...

fernandotakai11y ago

Is it possible to mitigate this kind of thing by using certificate pinning?

eropple11y ago

How would that help? The client doesn't need to trust anything from the server, just firehose likes back at it.

Even if you were for some reason using client certificates, you'd just have to rip apart the Tinder APK to get the cert and you're done.

cmartin12311y ago

1 more reply

j / k navigate · click thread line to collapse