A SECURITY FLAW in the dating app Tinder revealed peoples locations and left users vulnerable for over three months, security experts have finally disclosed.
Security app developer Include Security claims to have discovered the bug last autumn. "We found a way to get the exact latitude and longitude coordinates of any tinder user," said the firm's network security expert Max Veytsman. "We reported this vulnerability to Tinder in October 2013 and were confirmed that the issue was fixed by January 2014."
In case you weren't already aware, Tinder is a very popular dating app. It presents the user with photographs of strangers and allows them to "like" or "nope" them. When two people "like" each other, a chat box pops up allowing them to talk, or realise they made a mistake and ignore each other instead.
Include Security showed the vulnerability it discovered in action in a Youtube video demonstration posted on Wednesday. The firm didn't share this until recently when the issue had been fixed, although we do not have confirmation of this, as Tinder hasn't yet acknowledged the flaw.
According to Include Security, it took Tinder 40 days from the time it was notified to respond to the firm about the flaw.
Veytsman explained how they were able to hack Tinder users' locations in a Youtube video.
"For each Tinder 'match', the app shows you how far away other users are, with the user interface (UI) telling you roughly, in metres," he said.
"What we found is that Tinder's actually sending you really exact distances, so instead of it being 'three miles' it will be 3.175 with many dozens of points, so what we did was build an app that helps you triangulate Tinder users by measuring the distance of them from 3 points in the city where they are."
The Tinder Finder app works in the same way as Tinder, requiring a login through Facebook, which then gives an accurate present location. This can then be applied to any Tinder user by searching for users by their Tinder ID, which can be found out through users that you're browsing by "proxying" your phone's traffic.
A chosen ID can then be pasted into the Tinder Finder app, which then gives an exact location for that user.
Include Security's founder Erik Cabetas said in a Bloomberg interview that news of the Tinder bug has only recently been published because the company gives firms three months to fix a problem before publishing its findings. µ
You can't fault them for speed
Investigation reveals that malicious code was injected into the firm's payment page
Plus the three-for-free
And it's not just on Ubuntu, neither