The Inquirer-Home

Tinder flaw left users vulnerable to location hacks for over three months

Took the dating app company from October to January to recognise and fix the bug
Thu Feb 20 2014, 17:07

A SECURITY FLAW in the dating app Tinder revealed peoples locations and left users vulnerable for over three months, security experts have finally disclosed.

Security app developer Include Security claims to have discovered the bug last autumn. "We found a way to get the exact latitude and longitude coordinates of any tinder user," said the firm's network security expert Max Veytsman. "We reported this vulnerability to Tinder in October 2013 and were confirmed that the issue was fixed by January 2014."

In case you weren't already aware, Tinder is a very popular dating app. It presents the user with photographs of strangers and allows them to "like" or "nope" them. When two people "like" each other, a chat box pops up allowing them to talk, or realise they made a mistake and ignore each other instead.

Include Security showed the vulnerability it discovered in action in a Youtube video demonstration posted on Wednesday. The firm didn't share this until recently when the issue had been fixed, although we do not have confirmation of this, as Tinder hasn't yet acknowledged the flaw.

According to Include Security, it took Tinder 40 days from the time it was notified to respond to the firm about the flaw.

Veytsman explained how they were able to hack Tinder users' locations in a Youtube video.

"For each Tinder 'match', the app shows you how far away other users are, with the user interface (UI) telling you roughly, in metres," he said.

"What we found is that Tinder's actually sending you really exact distances, so instead of it being 'three miles' it will be 3.175 with many dozens of points, so what we did was build an app that helps you triangulate Tinder users by measuring the distance of them from 3 points in the city where they are."

The Tinder Finder app works in the same way as Tinder, requiring a login through Facebook, which then gives an accurate present location. This can then be applied to any Tinder user by searching for users by their Tinder ID, which can be found out through users that you're browsing by "proxying" your phone's traffic.

A chosen ID can then be pasted into the Tinder Finder app, which then gives an exact location for that user.

Include Security's founder Erik Cabetas said in a Bloomberg interview that news of the Tinder bug has only recently been published because the company gives firms three months to fix a problem before publishing its findings. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015