New Tinder Security Flaw Exposed Users' Exact Locations for Months
By
Internet security researchers in New York say that a flaw in Tinder, the super-popular hookup app, made it possible to find users’ precise location for between 40 and 165 days, without any public notice from the company.
Tinder—which connects flirty smartphone users with others nearby—is supposed to show users roughly how close they are to each other. Distance is rounded to the nearest mile, a safe-seeming threshold that has helped the app become addictive to both sexes. In October, however, researchers at Include Security discovered that Tinder servers were actually giving much more detailed information—mileage to 15 decimal places—that would allow any hacker with “rudimentary” skills to pinpoint a user’s location to within 100 feet. Depending on the neighborhood, that’s close enough to determine with alarming accuracy where, say, an ex-girlfriend is hanging out.
Include Security is what’s known as a white-hat hacking company: Its employees hunt for problematic code in popular websites, apps, and software. Its policy, says Erik Cabetas, Include’s founder, is to give companies three months to fix the problem before publishing its findings, which it does to gain publicity and attract clients who will pay for its security expertise.
Cabetas says that his company informed Tinder of the vulnerability on Oct. 23, 2013, and did not get a meaningful reply until Dec. 2, when a Tinder employee asked for more time to fix the problem. The hole was patched at some point before Jan. 1, 2014, Cabetas says. Tinder has not made any public acknowledgment of the issue. Tinder Chief Executive Officer Sean Rad did not respond to a phone call or e-mail seeking comment.
This isn’t the first time Tinder has exposed its users’ locations and other sensitive data. In July, Quartz.com reported that the app revealed users’ exact latitude and longitude for at least two weeks—not a “few hours,” as Rad told the site. In November, Quartz reported that Tinder code could be manipulated to expose users’ e-mail addresses.
As detailed in an August Bloomberg Businessweek story, Tinder fashions itself as a startup, but it’s actually part of IAC/InterActiveCorp’s dating division, called the Match Group. IAC plans to turn the Match Group into a separate business that may ultimately be spun off as a public company, and IAC regards Tinder as a kind of gateway drug to get smartphone-toting millennials hooked on digital dating, which they’ll eventually pay for.
This most recent Tinder flaw was discovered by Max Veytsman, one of Include’s resident hackers. Veytsman details his process in a YouTube clip and this blog post, which includes a timeline of patchy correspondence with Tinder’s Rad. “I wouldn’t say they were extremely cooperative,” Cabetas says.
A data field that reports users’ last known location to within 0.000000000000001 mile appears to have been in place since the July 2013 privacy breach. (The iPhone’s GPS gives more numbers than it can actually measure.) Using that information to locate a person requires only “rudimentary Web coding skills,” says Cabetas. “This is not a very advanced exploitation scenario.”
“We want technology companies to remember that as they’re moving a million miles an hour to innovate, they need to consider security and privacy as part of the value proposition they’re selling their customers,” Cabetas says. “Consumers tend to avoid use of applications, cloud services, or websites that severely encroach on their privacy.”
Update (2x): Through a spokesperson, Rad emails this statement: “Shortly after being contacted, Tinder implemented specific measures to enhance location security and further obscure location data. We did not respond to further inquiries about the specific security remedies and enhancements taken as we typically do not share the specifics of Tinder’s security measures. We are not aware of anyone else attempting to use this technique. Our users’ privacy and security continue to be our highest priority.”
Tinder’s spokesperson, Rosette Pambakian, says the issue was resolved “within 48 hours.” Cabetas says that’s impossible. You’ll need to decide who to believe.