Include Security unveiled new research showing that users of the popular online dating app Tinder were at significant risk due to a vulnerability they discovered in the geo-location feature of the application. This vulnerability allowed Tinder users to track each another’s exact location for much of 2013.
Researchers first discovered the flaw and reported it to Tinder this past fall, citing that the vulnerability would allow any Tinder user to find another user’s location if the Tinder app is running, or their last known location if not.
Using an algorithm called trilateration, researchers were able to get the exact latitude and longitude co-ordinates for any Tinder user.
Anyone with rudimentary programming skills could query the Tinder API directly and pull down the co-ordinates of any user. This resulted in a privacy violation for the users of the application.
Erik Cabetas, Managing Partner and Founder of Include Security said, “Due to Tinder’s architecture, it is not possible for one Tinder user to know if another took advantage of this vulnerability during the time of exposure. The repercussions of a vulnerability of this type were pervasive given Tinder’s massive global base of users. Once our research team discovered it, we reported the vulnerability directly to Tinder and followed up multiple times between October and December 2013 to ensure they were addressing the problem.”
At some point between December and early January, Tinder did issue a fix for this problem.
“As more and more applications are being built to include geo-location services, there is an increased risk to the privacy and safety of users,” added Cabetas. “Application vendors and developers have a responsibility to ensure their users’ privacy and security is protected, vulnerabilities are communicated promptly, and priority is given to developing important fixes like this.”
Here’s a video of the vulnerability in action: