I took advantage of an error in the code of a dating app

Eduardo Zepeda

January 3, 2025

Translations:

- es: Me Aproveché De Un Error En El Código De Una App De Citas

⏲ Reading time: 3 minutes

While using a Tinder-style dating app, one of those in which, after a mutual like, the application puts the people involved in contact, I noticed that, to promote their premium plan, they used blurred pictures to introduce you to the people who had pressed the Like button on your profile.

After having a couple of matches I noticed that the blurred pictures belonged to real accounts, that is, they were not a set of generic images or placeholders.

“Example of the blur effect applied to photography” — Example of the blur effect applied to photography

It sounded too obvious, so I opened my browser’s developer console and went to the CSS code to check my suspicions. They couldn’t possibly be making such a simple mistake—I thought—they’re protecting the identity of the photographs with a simple CSS filter: blur.

.hidden-image {
    filter: blur(4px);
}

Image processing of this dating app.

The actual images were served by the CDN of this app and then a filter was applied to hide them, so to find out who had liked you, you just had to remove the filter.

Unfortunately it was impossible to get any other data from the pictures or from the URL structure, API calls , or any other given; neither the name, nor the profile nor any other information was accessible other than the profile picture.

Don't settle with Javascript, learn Typescript too

If your Javascript skills are good enough to write some medium complexity applications, you should probably have noticed some of its weaknesses, Typescript was created to solve them, and there are platforms out there, like educative, which can teach you all you need to know about Typescript for a few bucks.

I want to learn Typescript

Where to learn software architecture?

It's super easy to learn the basis of programming, and languages' syntax, however learning how to structure big codebases and its flow is convoluted, because normally apps don't grow that big, and because is a relatively new area of knowledge, my favorite resources are "The system design interview series", but if you're not into books educative has a full course on system design too.

I'm all in for learning system design

How to obfuscate images in dating apps?

Certainly this was an architectural mistake, it is true that it is very easy to hide the images in the frontend, with CSS, you save disk space and avoid processing time in the backend, but a better option would have been to use a set of generic images for all accounts.

Another alternative would have been to generate a thumbnail (and other changes, like changing the format, example: webp ) automatically every time a user updates their main profile image; it consumes a bit more space but keeps the real images safe and personalizes the experience for each user.

flowchart TD id1[Profile picture change] --> id2[Generate blurred thumbnail ] id1 --> id3[Generate normal thumbnail ]

Exploiting the bug with a browser extension

To exploit the bug, I created a small Javascript script and integrated it into an extension to automate the process of unblocking them each time I entered the page.

This little oversight on the part of the developers lasted about two years. It has now been fixed so if you try to search for the bug on the main dating pages, you will no longer find it, and this is also the main reason that I decided to post about it

The application modified the code for its web version, leaving the rest of the UI almost intact and chose to create an obfuscated thumbnail for each account, but processing it from the backend, so that it is completely impossible to get the real image.