Sign up to our newsletter
The latest security news direct to your inbox
Smartphone dating app Tinder revealed more about its users than they might have wished over a period of several months last year – revealing their location to other app users to an accuracy of around 100 feet, according to The Verge’s report.
Time Magazine said that the glitch highlighted the dangers facing apps which rely on user location. Reseachers from white-hat independent security firm Include Security were able to pinpoint user locations to within an accuracy of 100 feet for several months.
The flaw was revealed in a blog post this week by Include Security, who said, “Tinder is an incredibly popular dating app. It presents the user with photographs of strangers and allows them to “like” or “nope” them. When two people “like” each other, a chat box pops up allowing them to talk. What could be simpler?” The problem, Tinder’s researchers say, lay in the fact it was possible to dig into the data, using fake accounts to triangulate a more accurate position for other app users.
The researchers created a web app, TinderFinder, which could, they claimed, pinpoint any user to within 100 feet within a city. The researchers were keen to point out that they had no intention of making this web-app public. “This vulnerability allows any Tinder user to find the exact location of another tinder user with a very high degree of accuracy (within 100ft from our experiments).”
The method could also be used to pinpoint specific Tinder users, whenever they opened the app, Include claims, “This vulnerability finds the last location the user reported to Tinder, which usually happens when they last had the app open.
Bloomberg Businessweek commented that, “Depending on the neighborhood, that’s close enough to determine with alarming accuracy where, say, an ex-girlfriend is hanging out.”
Speaking to Bloomberg, Erik Cabetas, founder of Include, said that the firm’s policy was to report such vulnerabilities, then give the companies three months to fix them before publishing their findings. Cabetas said that he alerted the firm to the vulnerability on October 23 2013, and did not receive a response until December 1. The flaw was fixed by early January.
The firm has yet to make an official statement regarding the privacy breach, and company executives were not available to comment.
The app has previously drawn criticism for privacy glitches, and Quartz magazine reported that an earlier breach where location information and Facebook IDs were revealed over the network was played down by company engineers, who claimed that the breach had lasted hours rather than months.
The firm eventually released a statement saying, “On two different occasions, we became aware that our API was returning information that it should not have been. In both occasions, we promptly addressed and fixed the glitch. With respect to location data, we do not store the current location of a Tinder user but rather a vague/inaccurate point in space. We are extremely committed to upholding the highest standards of privacy and will continue to take all necessary steps to ensure our users’ data is protected from internal and external sources.”
The Verge comments in its report, “While the flaw appears to have come and gone without issue, this type of behavior is unlikely to go away anytime soon. An increasing number of apps — such as Tinder and Grindr — have been making heavy use of basic location data to introduce users to others nearby them. It’s a fun mechanic, but one that obviously lends itself to plenty of privacy concerns.”
Author Rob Waugh, We Live Security