In a creepy twist to the evolving story of the mobile dating app, two researchers have found a way to not just find the exact location of a user, but also assemble a sort of dossier by tracking their movements over time.
Of particular concern is Grindr, a popular gay-dating app used worldwide by five million monthly users. The danger presented by the security flaws is particularly acute in countries where homosexuality is illegal and an outing by authorities or other users could put lives at risk.
As the BBC points out here in a blog post, the problem was discovered by Colby Moore and Patrick Wardle with the cybersecurity firm Synack.
The pair focused most of their attention on gay dating app Grindr but said
They found that they could exploit a feature of Grindr that tells users how far away they are from other people who have signed up to use the service and share where they are. The app calls on several different sources of data to provide very precise measurements of this distance.
To exploit the loophole the researchers sent several requests to servers behind Grindr, each one appearing to come from a different location. This let them get multiple estimates of a target s distance from these separate places. This made it possible to calculate a person s exact location by triangulation.
In other words, the very technology that so beautifully allows users to quickly find possible dates nearby, sometimes within a few hundred feet, also has a darker side.
The vulnerability might leave users open to stalking, harassment or persecution, said the researchers.
By spoofing requests to the servers behind the apps, researchers were able to track people as they moved around during the day.
One app maker has fixed the loopholes in some nations but most users are still at risk, they warned.
I did a story about dating apps a couple of years ago. And while sitting at a restaurant playing around with one of them, I discovered that a possible match was sitting nearby at that very moment. As in a few hundred yards away. I nearly dropped the phone, I was so surprised by the app s ability to locate another user so quickly. It felt creepy – but then, I wasn t looking for a date.
Now, thanks to the work of Moore and Wardle, that same technology seems downright sinister in its vulnerability, as users may be able to quickly work up a sort of bio on a complete stranger and either stalk or harass someone for any reason.
In a post at Arcs Technica, Grindr declined to comment:
Hopefully Grindr and the other apps, which were not mentioned in the posts by name, patch up this hole. But it appears that the problem is still there, because even though Grindr announced that it was making it easy for users to stop sharing their location if they were worried about how it could be abused…
… Grindr said that it had no plans to change the location finding system in nations where it was used because it was a core function of the service rather than a security flaw.
As a result, , the problem still existed for Grindr users outside nations where location sharing was turned off.
We were able to replicate this attack multiple times on willing participants without fail, he said.
He said Grindr could make it much harder to exploit the bug by checking where people were making location requests from and stopping those that were obviously spoofed. In addition, he said, the firm could make the location data less precise to help obscure people s locations.
Credit: Twitter.com