Dating apps like Bumble and Hinge have been found to have vulnerabilities in their design that allow malicious users or stalkers to pinpoint the location of their victims with alarming accuracy. Researchers from Belgian university KU Leuven analyzed 15 popular dating apps and discovered that Badoo, Bumble, Grindr, happn, Hinge, and Hily all shared the same vulnerability. These apps used exact locations for their “filters” feature, which allowed users to search for potential partners based on criteria like distance.
To identify the exact location of a user, the researchers used a technique called “oracle trilateration.” Unlike traditional trilateration used in GPS, oracle trilateration involved estimating the victim’s location based on the information displayed in their profile and then moving incrementally until the victim was no longer within proximity in three different directions. This provided the attacker with three positions and known distances, enabling them to trilaterate the victim’s location.
The researchers found it surprising that such known issues were still present in popular dating apps. While the technique did not reveal the exact GPS coordinates of the victim, a proximity of 2 meters was considered close enough to pinpoint the user. However, once the researchers alerted the affected apps, they promptly changed how distance filters worked to prevent the oracle trilateration technique from being used. The fix involved rounding up the exact coordinates by three decimals, introducing an uncertainty of approximately one kilometer.
Bumble, Hily, and happn all confirmed that they received reports of the vulnerability and took steps to address it. Badoo and Hinge did not respond to requests for comment. Grindr, on the other hand, responded that rounding users’ precise locations by three decimals was a deliberate feature rather than a bug. The company emphasized the importance of proximity in connecting users within the LGBTQ+ community and stated that users have control over the location information they provide.
While the other apps were vulnerable to pinpointing users within 2 meters, Grindr rounded users’ locations to within 111 meters. The researchers argued that this distance was still potentially dangerous, especially in densely populated areas. However, Grindr defended this feature, highlighting its significance in connecting users to the LGBTQ+ community.
Overall, the findings underscore the need for robust security measures in dating apps to protect user privacy and ensure their safety. The prompt response from the affected apps in addressing the vulnerabilities demonstrates the importance of ongoing security assessments and proactive measures to prevent potential misuse of location data.