Tinder, one of the hottest dating apps, is making headlines for more than making matches. A security firm, IncludeSec, recently revealed a major problem in Tinder’s app that could allow hackers to accurately pinpoint users geographically using high school math.
Tinder is used to find people in your area looking to meet, date, or even hook up. Users pick potential matches based mainly on looks although each profile has a user-currated page. It presents a picture of a fellow Tinder user with a relatively near location. Like that person? Swipe her picture to the right for a potential date. Not interested? Swipe left. And all while supposedly hiding everyone’s exact location.
These sorts of apps are designed to be relatively anonymous, but after a bit of digging, the security company discovered that the app was releasing telemetry data that, when used to triangulate a user, can display the location of that user to within 100 feet. The full exploit is explained here and demonstrated in the video above. This is the second time such an exploit was discovered. A similar vulnerability appeared in July 2013.
Tinder has quietly fixed the problem, according to a statement provided by the company yesterday. Tinder is also not aware of anyone using the latest exploit. And that’s the issue.
Anyone can be a hacker. Anything that an API can be used for, it will be used for. The engineer that implemented that code clearly was under the impression that it was safe. Companies big and small obviously do not roll out code that can be maliciously exploited. The company’s goal is to make people happy, not sad. App makers have the responsibility to provide its users with a relative amount of security. This is especially true if your app is about meeting people around you based on their picture alone.
It’s likely that Tinder didn’t publicize this exploit and fix in order to save face. The company was already recovering from last summer’s exploit and probably didn’t want users to question it, again, about security.
Tinder is not alone here, although this particular exploit could have ended especially badly. From Target’s massive data breach to an exploit that opens Belkin’s WeMo devices to hackers, data security will continue to be a rolling issue. It’s a company’s responsibility to protect its data for the sake of its users. And when a breach happens, because they will continue to happen, transparency is the best policy.
The only question left is which app is going to leak data next?
At TechCrunch Disrupt Berlin (video below), Tinder founder and CEO Sean Rad didn’t reveal exact user counts, but instead mentioned the app sees 3.5 million matches and 350 million swipes a day. (About 30 percent of those are the right swipes that indicate interest.) And the app has seen 30 billion swipes and 300 million matches total.
“Include Security identified a technical exploit that theoretically could have led to the calculation of a user’s last known location. Shortly after being contacted, Tinder implemented specific measures to enhance location security and further obscure location data. We did not respond to further inquiries about the specific security remedies and enhancements taken as we typically do not share the specifics of Tinder’s security measures. We are not aware of anyone else attempting to use this technique. Our users’ privacy and security continue to be our highest priority.”