Tinder Privacy Flaw Exposed Users’ Locations
An internet security firm found a vulnerability in Tinder that allowed them to pinpoint users’ exact locations.
IncludeSecurity first noticed the flaw on October 23rd, and after immediately notifying Tinder, say the problem wasn’t fixed until January 1st.
In a blog post yesterday, one of their researchers, Max Veytsman, explained his process.
He first used Tinder’s API to find the distance he was from another user.
Veytsman then created three fake profiles with different locations, and could triangulate the location of a user to a distance of 100ft.
He said: “Anyone with rudimentary programming skills could query the Tinder API directly and pull down the co-ordinates of any user.”
He created a site, called TinderFinder, which he programmed to automate this process, and let him locate a user by simply inputting their user ID.
IncludeSecurity is an internet security consultancy firm, who in addition to providing security assessment for clients, run a “white-hat hacking” service – exposing flaws in popular apps, websites and software.
Their founder, Erik Cabetas, told BusinessWeek their policy is to give companies three months to fix a problem before publishing their findings.
They notified Tinder on the 23rd October, got a reply thanking them the next day, then received no notification until December 2nd, when a developer said they needed more time.
The researchers said that the problem was fixed on January 1st.
Cabetas said: “Due to Tinder’s architecture, it is not possible for one Tinder user to know if another took advantage of this vulnerability during the time of exposure.
“The repercussions of a vulnerability of this type were pervasive given Tinder’s massive global base of users.
“As more and more applications are being built to include geo-location services, there is an increased risk to the privacy and safety of users.”
Tinder said they were not aware of anyone else using this process to reveal the locations of their users.
They fixed the flaw so that the discoverable location of a user is now one mile.
Veytsman said in his blog: “Flaws in location information handling have been common place in the mobile app space and continue to remain common if developers don’t handle location information more sensitively.
“As more and more applications are being built to include geo-location services, there is an increased risk to the privacy and safety of users.”
Tinder CEO Sean Rad released a statement to BusinessWeek regarding the flaw, which said: “Shortly after being contacted, Tinder implemented specific measures to enhance location security and further obscure location data.
“We did not respond to further inquiries about the specific security remedies and enhancements taken as we typically do not share the specifics of Tinder’s security measures.
“We are not aware of anyone else attempting to use this technique. Our users’ privacy and security continue to be our highest priority.”
Watch Veytsman’s video explaining his process below, and read his blog here.