Several of the most popular gay dating apps have flaws that allow their users’ exact locations to be determined, the BBC reports. Researchers from the cyber-security company Pen Test Partners found the flaws in the Grindr, Recon, and Romeo apps.
All of those apps allow users to share their general location by displaying their distance from each other. But while that location information only reveals distance from another user’s current location and not direction, the researchers found anyone with basic computing skills could use that information to determine another user’s exact location using a method known as trilateration. Here’s how the BBC describes the method:
Imagine a man shows up on a dating app as “200m away”. You can draw a 200m (650ft) radius around your own location on a map and know he is somewhere on the edge of that circle.
If you then move down the road and the same man shows up as 350m away, and you move again and he is 100m away, you can then draw all of these circles on the map at the same time and where they intersect will reveal exactly where the man is.
The scary thing is that if someone wanted to track gay men using this method, they could do so without actually needing to physically change their own location for trilateration to work. The BBC said the researchers created a tool that faked their own location and did all the trilateration calculations automatically, in bulk, allowing them to generate maps of precise user locations for thousands of individuals at a time.
Immediate thoughts of how a stalker could use this technique spring to mind, but that isn’t the only worry. Homosexuality is illegal or socially unacceptable in many of the countries where gay men use Grindr, Recon, and Romeo. This method would allow a nation-state to easily track them down in real time, leaving their freedom and perhaps even lives at risk.
The security company reached out to Grindr, Recon, and Romeo after discovering the apps’ vulnerabilities and told the companies how those vulnerabilities could be mitigated. Recon told the BBC it has since obscured precise user locations that were made vulnerable by trilateration.
Grindr said it gives users options to “hide their distance information from their profiles” and that it obfuscates location data “in countries where it is dangerous or illegal to be a member of the LGBTQ+ community,” however the trilateration technique can still be used in other countries where users have not disabled distance sharing. Romeo did not respond to the BBC’s requests for comment, but the app’s website incorrectly claims that it’s “technically impossible” to stop someone from trilaterating users’ positions.