An encryption flaw discovered by security researchers in the popular dating app Tinder may allow hackers to view a user’s photos and track their actions, including when they swipe left or right on someone.

Application security testing company Checkmarx first identified the issue , which allows an attacker to decode encryption signatures in both the iOS and Android version of Tinder to see what actions a user took while viewing the profile of another user.

According to the researchers, most aspects of Tinder uses the HTTPS communications protocol, which creates a secure and encrypted tunnel that allows information to travel between the user’s device and Tinder’s servers while using the app.

However, profile photos on Tinder are still served up through HTTP protocols, which are not secure. Given that photos are such a major part of the Tinder experience, the lack of security surrounding them seems surprising.

Because the connection used by Tinder to request and display photos isn’t encrypted, it is possible for an attacker sitting on the same network as the user to intercept those photos along with other information including user activity.

Essentially, the lack of encryption opens Tinder up to what is known as a man-in-the-middle attack. These types of attacks occur when a threat actor is able to sit in between an individual and the server they believe they are communicating directly with in order to intercept or even meddle with information as it moves between the user’s device and the server.

An attacker making use of the encryption flaw in Tinder could not only hijack photos as they are delivered from the Tinder server, they could also replace those photos before reaching the user and serve up fake images.

In addition to photos, an attacker could also gain access to information from Tinder’s application program interface (API) server that tracks the way the user interacts with a profile. The information includes details like whether the user liked, didn’t like or super liked a profile.

This information is also made available due to an encryption flaw. While the data packets sent through Tinder’s API are encrypted, the payload size for those packets remain the same size for each action, making them extremely predictable. That allows an attacker to determine exactly how a user interacted with a profile without being able to directly see the decrypted actions.

The attack on Tinder does have its limitations; it requires the attacker to be connected to the same network, such as a public Wi-Fi network, as the victim. Beyond that, the attack is essentially undetectable as it is a passive attack—the app itself is never manipulated, just information being sent to and from it is intercepted.

The researchers encouraged Tinder to update its encryption protocol and move all images to a secure communications method to thwart the attack. They also advised making sure the packets for all actions are the same size to make them indistinguishable to someone who may be watching.

Tinder did not reply to request for comment at the time of publication.