Contributed by: ElyseRomano on Friday, March 28 2014 @ 07:43 am
Last modified on
Bad news for Tinder fans: all those creepy people you've been avoiding on the app may now know exactly where you are.
It turns out the dating app suffered from a bug for most of last year that would've allowed hackers to determine the exact location of its users. And Tinder chose to cover it up until just a few weeks ago. The information security firm Include Security exposed the security vulnerability in mid-February, saying that anyone with the right kind of knowledge could "get the exact latitude and longitude coordinates for any Tinder user" provided that the app was running.
Hello, major privacy violation!
The company confirmed that "anyone with rudimentary programming skills could query the Tinder API directly and pull down the coordinates of any user." From that API data, it is then possible to triangulate the exact location of the user with a very high degree of accuracy. We're talking within 100 feet. And remember that part where they said "rudimentary programming skills?" So not only can creeps get incredibly close to you, they don't even have to be smart creeps in order to do it.
So much for the fun of all that mindless swiping.
It’s a bad bug, for sure, but before you go cursing the day Tinder hit the app-mosphere, Include Security also noted in an FAQ on its disclosure blog post that these flaws can be "common place in the mobile app space" and will “continue to remain common if developers don't handle location information more sensitively." Is that more comforting or less comforting? I'm not actually sure…
What I am sure of is that Tinder should not have failed to disclose the vulnerability when it was privately reported. Users deserved to know that the security of their location data was potentially compromised, even though the bug was fixed sometime between December and January.
Your questions now are probably "Has anyone actually exploited this?” and “Can I tell if someone has tracked me using this privacy vulnerability?" According to Include Security’s post, “there is no simple way to determine if this attack was used against a specific Tinder user." In other words, nope – you have no way of knowing if that slightly unbalanced-looking person you just rejected is about to come knocking at your door.
Good luck sleeping (or swiping) with that on your mind.
See a demo of the Tinder vulnerability at work: