A security firm revealed Wednesday that a vulnerability on the popular dating app Tinder made it possible for an attacker with some know-how to pinpoint users’ precise locations. Tinder was made known of this security flaw Oct. 23 and the hole was patched up before the new year, according to Max Veytsman at the firm Include Security.
The Tinder app shows how far potential mates are relative to a user in miles, but Veytsman discovered through the company’s API that it was giving out detailed locations down to 15 decimal places, or approximately 100 feet. With this information, Inside Security built a web application to triangulate and pinpoint users’ precise locations (see video above).
Tinder “is leaking some location information that an attack can exploit,” wrote Veytsman in a blog post. “The distance_mi field is a 64-bit double. That’s a lot of precision that we’re getting, and it’s enough to do really accurate triangulation!” He notes that the flaw isn’t unique to Tinder, and it’s unclear if any users were targeted. However, he adds that the firm believes the flaw has existed since July, potentially exposing users’ locations whenever they opened up the app for close to half a year.
In a statement to Fast Company, Tinder cofounder and CEO Sean Rad said:
Include Security identified a technical exploit that theoretically could have led to the calculation of a user’s last known location. Shortly after being contacted, Tinder implemented specific measures to enhance location security and further obscure location data. We did not respond to further inquiries about the specific security remedies and enhancements taken as we typically do not share the specifics of Tinder’s security measures. We are not aware of anyone else attempting to use this technique. Our users’ privacy and security continue to be our highest priority.
Veytsman disclosed a timeline of events (emphasis ours) since reaching out to Tinder in October:
October 23rd 2013 – We notified tinder via email to customer service.
October 24th 2013 – We notified tinder via email to CEO.
October 24th 2013 – Tinder’s CEO acknowledges and says thanks.
November 8th 2013 – We ask for status from the CEO, no response.
December 2nd 2013 – We ask for status from the CEO, we’re redirected to a tech team lead.
December 2nd 2013 – Tech team lead asks for more time to implement a fix, we acknowledge and agree.
January 1st 2014 – We look at the server-side traffic to see if the same issue exists and see that the high precision data is no longer being returned by the server (awesome looks like a fix!)
January 2nd 2014 – We ask for fix details/status from the tech team lead, no response.
February 4th 2014 – We ask for fix details/status from the tech team lead, no response.
February 7th 2014 – We ask for fix details/status from the CEO, get short reply saying they’ll get back to us.
February 19th 2014 – As the issue does not seem to be reproducible and we have no updates from the vendor….blog post published.
If this sounds familiar, it’s because a security vulnerability discovered last summer exposed users’ Facebook IDs and locations. Then, the company responded to say the issue persisted for only two hours before it was patched up, but the engineer who reported the flaw said it took up to two weeks to fix. Tinder never made it clear if it disclosed the vulnerability to users, and has yet to do so for Inside Security’s latest discovery.