The Paktor app allows you to find out email addresses, and not just of those users that are viewed.All you need to do is intercept the traffic, which is easy enough to do on your own device.
This is done using the authentication token the app receives from Facebook.
By modifying this request slightly – removing some of the original request and leaving the token – you can find out the name of the user in the Facebook account for any Happn users viewed.
The attack is based on a function that displays the distance to other users, usually to those whose profile is currently being viewed.
Even though the application doesn’t show in which direction, the location can be learned by moving around the victim and recording data about the distance to them.
Information about users in all the other apps is usually limited to just photos, age, first name or nickname.
We couldn’t find any accounts for people on other social networks using just this information. In one case the search recognized Adam Sandler in a photo, despite it being of a woman that looked nothing like the actor.We were interested in what could be intercepted if, for example, the user connects to an unprotected wireless network – to carry out an attack it’s sufficient for a cybercriminal to be on the same network.Even if the Wi-Fi traffic is encrypted, it can still be intercepted on an access point if it’s controlled by a cybercriminal.Some apps only allow users with premium (paid) accounts to send messages, while others prevent men from starting a conversation.These restrictions don’t usually apply on social media, and anyone can write to whomever they like.This allows an attacker, for example, to see which accounts the victim is currently viewing.