Tinder app security breach allowed users to track others' exact location

Tinder users may be unnerved to learn that a vulnerability in the app's geolocater allowed users of the popular online dating app to track others' exact location.

According to research from Include Security, the simple hack was employed widely in 2013.

The flaw, which has since been fixed, was first discovered by researchers and reported to Tinder last fall. The report explained that, using a technique known as trilateration, individuals with even basic programming skills would be able to identify the longitude and latitude coordinates for anyone who had the app running on their phone, or the last known location if the app was off.

Include Security Managing Partner and Founder Erik Cabetas said with the architecture of Tinder was such that a user could not know if another user was taking advantage of the vulnerability.

After reporting the issue, the team followed up several times with the app makers, who fixed it some time between December and January.

Applications that are built with geolocation services are increasing, and with it the risk to safety and privacy. In Tinder's case, while the specific offense has been addressed, potential problems remain.

"Tinder is no longer returning exact GPS co-ordinates for its users, but it is leaking some location information that an attack can exploit," Include Security employee Max Veytsman writes on the company's blog.

Tinder is an app that connects to people's Facebook profiles and offers matches based on proximity. Users see details like some pictures, mutual friends, interests and an optional bio. Should someone peak their interest, they need only swipe right, an alert appearing in the case that both users indicate interest. Although user distance is shown, a precise address is not.

Join the Discussion
Real Time Analytics