A number of location-based dating apps can be used to track the real-time locations of users, armed with nothing more than their username and the official API…
The problem was discovered by researchers from security firm Pen Test Partners (PTP), who were able to find out where users live, work, and socialize.
The company illustrated this by tracking app users in sensitive locations in London. This included someone who appears to be in 10 Downing Street, home to the Prime Minister of the UK, as well as in the British parliament and other government buildings. PTP redacted the usernames of these users.
Many of these apps return an ordered list of profiles, often with distances in the app UI itself. By supplying spoofed locations (latitude and longitude) it is possible to retrieve the distances to these profiles from multiple points, and then triangulate […] the data to return the precise location of that person.
We created a tool to do this that brings together multiple apps into one view. With this tool, we can find the location of users of Grindr, Romeo, Recon and 3fun – together this amounts to nearly 10 million users globally […]
The location data collected and stored by these apps is also very precise – 8 decimal places of latitude/longitude in some cases […] In our testing, this data was sufficient to show us using these data apps at one end of the office versus the other.
This vulnerability not only exposes people to the danger of being stalked, but could also carry other risks for members of some communities.
Two of the app makers responded positively, the other two not.
But being able to identify the physical location of LGBT+ people in countries with poor human rights records carries a high risk of arrest, detention, or even execution. We were able to locate the users of these apps in Saudi Arabia for example, a country that still carries the death penalty for being LGBT+.
PTP is calling on developers of location-based dating apps to protect user privacy by collecting less precise location data, use a snap-to-grid approach and inform users of the risks, allowing them to choose to identify their location in more general terms. It also suggests that Apple and Google could offer less precise location APIs for use by dating apps.
Recon replied with a good response after 12 days. They said that they intended to address the issue “soon” by reducing the precision of location data and using “snap to grid”. Recon said they fixed the issue this week.
3fun’s was a train wreck: Group sex app leaks locations, pics and personal details. Identifies users in White House and Supreme Court
Grindr didn’t respond at all. They have previously said that your location is not stored “precisely” and is more akin to a “square on an atlas”. We didn’t find this at all – Grindr location data was able to pinpoint our test accounts down to a house or building, i.e. exactly where we were at that time.
A recent study suggested that dating apps and websites are now the most common way for couples to meet.