GBTQ dating platforms Grindr and Romeo have been caught exposing the location data of users in a new investigation by the BBC.
Cybersecurity researchers from Pen Test Partners demonstrated to journalists how a hacker would be able to pinpoint the location of a profile by taking advantage of a feature which tells users how many metres they are from a connection.
By creating a tool which faked the location of their own device, they could find how far the target was from various coordinates nearby. Combining these distances together narrowed down the location possibilities to an extremely narrow range.
This could be done in bulk and at speed, identifying the whereabouts of many users in quick succession.
Using a coarser location indicator, such as one which limited the number of decimal places in longitude and latitude readings, would make this process of trilateration far more difficult.
On apps which organise profile grids by distance, it was also possible to zone in on someone’s exact location by creating fake accounts nearby. As these fake accounts were moved around (again using a tool), researchers could figure out where the real account was based.
Speaking to the BBC, Grindr said that users have the in-app option to hide their location. Further, this was done automatically in countries which pose a threat to LGBTQ freedoms.
Romeo declined to comment, while Recon, a GBTQ app which had recently dealt with similar vulnerabilities, said: “Historically we’ve found that our members appreciate having accurate information when looking for members nearby.
“In hindsight, we realise that the risk to our members’ privacy associated with accurate distance calculations is too high and have therefore implemented the snap-to-grid method to protect the privacy of our members’ location information.”
Read more here.