Valentine’s Day is Saturday, and if you met your significant other by way of a mobile dating app or used it to hunt for a new love, there’s a chance you may have, in the process, exposed some data on yourself or your workplace to hackers.
That’s the finding of a new study by the security branch of IBM, which found that 60 percent of dating apps running on Google’s Android platform contain software vulnerabilities that open them up to potential attack.
In the study, Big Blue looked at 41 popular dating apps for Android phones and the kind of personal information they have access to on the phone. Of that batch, 73 percent had access to the current and historical location information stored on the phone. Several contained vulnerabilities that would allow an attacker to seize control of the phone’s camera or microphone, or to hijack and change a personal profile on the site.
One frustrating bit: IBM doesn’t take the extra step to name-and-shame the apps that suffer from these vulnerabilities, though one hopes they’ve been quietly informed. In August, a flaw disclosed in Grindr, a dating app for gay men, could allow someone to look up the location of its users. Grindr quickly issued a fix.
What kind of vulnerabilities were they? Cross-site scripting attacks were the most common, IBM found. That’s when an attacker can inject code into a Web page or app that makes a computer or phone execute local commands without the knowledge of the user. One way to carry out such an attack would be to use an open Wi-Fi connection or a rogue Wi-Fi hotspot.
Another vulnerability that showed up in the dating apps was phishing attacks, where a hacker creates a fake but legitimate-looking login screen for an app or site in order to capture user names and passwords.
What to do about all this? Big Blue dispenses a cupful of common sense: Keep your dating profile lean and don’t disclose much personal information, for one thing. Also, use unique passwords for each app or site you use. And regularly review the permissions settings for each app you use so that you know what information and functions it can use on your phone.
Update: As I noted, IBM didn’t name any of the vulnerable apps, but IAC Interactive, which owns some of the most popular dating sites and mobile apps including Match.com, OkCupid and Tinder, wants you know its apps are not among them.
The company just sent over a statement: “IBM tested IAC’s dating apps – including Match, OkCupid, and Tinder – and they were not among the apps found to exhibit the cited vulnerabilities. We are confident in the continuing security measures we take to make sure our products meet the highest security standards.” Okay, then.
This article originally appeared on Recode.net.