If your eyes glaze over when you see the term “man-in-the-middle attack” [MiTM] in tech news about security breaches, you can be forgiven. It sounds really abstract. We tried to make it a bit more exciting when we wrote about the first big porn site to go TLS-secure, but it’s still tough to picture. Security researcher and startup founder, Anthony Zboralski of Belua, wrote a post on Hacker Emergency Response Team’s Medium blog where he puts these scams in terms everyone can understand: catfishing.
I’m writing this to help you picture how cybercrime works and why privacy is important, but let’s make it all a little more concrete first. If you can insert yourself into two people’s date making plans without them knowing, you can pull pranks. For example, let’s say you use the following technique so that Shawn and Jennifer unknowingly communicate through you to set up a date for Friday at 8. You could then schedule three more women to meet up with Shawn at the same time and place, without either Shawn or Jennifer knowing what you were up to. With this method, the potential paramours don’t realize that anyone else knows their plans, but you do.
Here’s how Zboralski describes how you can run a MiTM attack to listen in on two people making plans and even interject your own scheme. Don’t do this. It’s terrible. Unless you’re a misanthrope. Then there’s probably not a better way to spend you’re weekend.
You may need to read this more than once to get it. If it weren’t confusing, everyone would do this stuff all the time. That said, it’s not technical at all.
First, you’ll need a Tinder account to do some research. For the fastest results, find a profile of a real, fairly attractive male nearby where you live. Let’s call him “Shawn.” “The initial target has to be a male, the attack is less likely to succeed if we pick a female,” Zboralski writes. “Men propose, women dispose…” (If this all sounds a bit too gender-binary for you, please run a more enlightened violation of someone’s privacy and let us know how it works out.) Take screenshots of Shawn’s photos and use them to set up a fake Tinder profile (which will require a fake Facebook profile). Be sure to set it to the same first name and probably the same age.
Second, swipe right with your fake profile like crazy. Just go to town. Do it until someone matches with you that you believe will be hard for the real Shawn to resist. Now you have your bait. Take screenshots of all of her photos and set up your second fake profile, for the lady. Let’s say her name was “Jennifer.”
Third, take your fake Jennifer profile and swipe until you find the real Shawn. Swipe right. In fact, Zboralski suggests using super-likes. Cross your fingers. At this point, you’ll probably need a second device, like maybe a cheap burner phone or a tablet, for the additional profile. As long as the real Shawn matches with the fake Jennifer, you’re in business (if he doesn’t, you can always just find a new match for your fake Shawn).
Now, you are in a position to eavesdrop on their conversation. Anything that the real Jennifer says to the fake Shawn, or vice versa, you just copy into a message from the other fake account to the other real account.
So, if Shawn uses the Dating Hacks Keyboard, he might open with something like “My parents are so excited, they can’t wait to meet you!” Only, fake Jennifer will receive it. So copy that as a message into fake Shawn’s account and send it to real Jennifer—did you follow that? Await their reply. Copy again, and so it goes.
Assuming Shawn has adequate game, he’ll talk his way into digits. Provided he does, that does not mean you have to quit listening in. Just substitute the real phone numbers for phone numbers that correspond to fake phones. This should be super easy from here, because no one actually makes phone calls anymore. Provided no one actually tries to call each other, it should be no harder to copy texts than it was to copy Tinder messages. If anyone does actually get weird and call, though, Zboralski’s post has instructions.
SEE ALSO: The anti-catfishing dating network.
You’re going to be able to keep listening in until the two finally set up a real date and meet face to face.
In what I’ve just described, all you’re doing is listening in. Which is fun, but pretty tame.
The possibilities are really endless. In fact, if you really want to target a specific Tinder user, you could probably swing it if you know them well enough. If you do this you are awful. Funny, but awful.
Tinder may not keep track of all the places you log in, but it didn’t have a great reply to Zboralski’s post. The “Tinder Security Team” sent Zboralski the following response when he reported this attack to them.
While Tinder does employ several manual and automated mechanisms to deter fake and/or duplicate profiles, ultimately, it is unrealistic for any company to positively validate the real-world identity of millions of users while maintaining the commonly expected level of usability.
It’s not the only recent security slip for the company, and fake profiles using real faces to scam lonely men and women on social media is a real problem. We previously reported on a Russian startup, N-Tech Labs, that can take cell phone photos and reliably match them to members of VK, a site much like Facebook. Dr. Alec Couros’s likeness has been very widely used online to run romance scams, without his consent. It’s just one more reason why online dating is awful.
This particular problem should be solvable with existing technology. If machine learning has gotten good enough to match two different photos of the same face, you would think matching basically the exact same photo would be a breeze. Tinder, which is owned by the Match Group of online dating sites, was not immediately available for comment about whether or not it is using machine learning to spot this kind of spoof. It’s response above isn’t encouraging, however.
Hopefully, this explanation of MiTM attacks makes it easier to picture how eavesdropping works online rather than making it easier for you to picture ruining your friends’ weekends. And if it creeps you out, then maybe don’t use services like Gmail and Allo, which are basically eavesdropping tech that we opt into. If it’s gross for one person to listen in on one conversation, why isn’t it gross for giant companies to listen in on all conversations?
Be careful out there.
h/t: Detectify’s newsletter.