Give me moar ??
With this sort of eureka moment my already high curiosity got even higher, the next thing I wanted to know was how Tinder’s swiping worked.
When you load the page the core request gets fired, bringing with it an array of 16 users (Fired again if you swipe them all). Remember this, we will come back to it in a bit.
I didn’t find any utility for the pass and superlike but a really good one for the like, again, keep on reading, we still need one extra piece to solve one of the puzzles!
Another one of the useful Tinder’s premium features is that you can redo a swipe, well we can also hack our way through to get this one for free too by using what we just learned.
To reproduce and modify any request go to the Network tab, right-clicking on it and then Copy as fetch. Then go to the console, paste it and hit enter. At the end of the post there is a gif doing just that.
So, we just have to take the ID of the person that we want to show our interest to and put it in the like request:
On a side note, I also found that when you have a match* it lets you chat with that person, by clicking on their profile you trigger the usual get by ID.
This is useful because if you want to redo a like but you are not sure which ID is the correct one, with this you can check it.
Hacking the ‘save profile’ section ???
Of course, when you can update some existing values there’s the possibility that the devs don’t validate in the backend what you are sending, so you could alter the payload to do something like:
I found that in Tinder’s web version you can’t change your city (In the mobile app you can), but you can edit the payload to do so:
To be fair this is a difficult one to validate since you depend on some library or service blackpeoplemeet desktop on the frontend to get the valid values (In this case most likely Google Map API).
To prevent this they would have to also call the same service in the backend to check if whatever the user is sending is valid but, let’s be honest, I don’t think that creating your own cities is such a big deal to do that.
- I was talking with one girl after a match and for some reason she deleted all her photos No, it wasn’t because I creep her out but I had copied her profile as a JSON Okay that may be considered creepy and because of that I tried to get one of her picture URLs and… they were still there. Most likely Tinder have the rights to hold them for some time (maybe forever, read terms and conditions kids) but it’s a reminder that we left a lot of data on the internet, even when we stop using that site/app.
- The superlike request gets validated on Tinder’s backend, I tried modifying my profile data to add me some of these powerups but it also gets validated.
- When you put a wrong code in promo code input the status code of the response will be a 500, am I the only one to feel it like a microaggression? Jokes aside this one has some implications, if they have some error monitoring it’s likely the will register 5XX errors, so you could trigger some alarms by spamming this request. No, don’t do it.