Getty Image
We previously reported about Tinder when it turned out that all of the Olympics athletes used it to hook up, but apparently Tinder has been exposing your exact location to others for months. Via Business Week:
Internet security researchers in New York say that a flaw in Tinder, the super-popular hookup app, made it possible to find users’ precise location for between 40 and 165 days, without any public notice from the company. Tinder—which connects flirty smartphone users with others nearby—is supposed to show users roughly how close they are to each other. Distance is rounded to the nearest mile, a safe-seeming threshold that has helped the app become addictive to both sexes. In October, however, researchers at Include Security discovered that Tinder servers were actually giving much more detailed information—mileage to 15 decimal places—that would allow any hacker with “rudimentary” skills to pinpoint a user’s location to within 100 feet. Depending on the neighborhood, that’s close enough to determine with alarming accuracy where, say, an ex-girlfriend is hanging out.
So you get to see a picture of someone, and then you know exactly where they are? That sounds like the beginning of a Lifetime movie or an I Survived episode.
Include Security is what’s known as a white-hat hacking company: Its employees hunt for problematic code in popular websites, apps, and software. Its policy, says Erik Cabetas, Include’s founder, is to give companies three months to fix the problem before publishing its findings, which it does to gain publicity and attract clients who will pay for its security expertise. Cabetas says that his company informed Tinder of the vulnerability on Oct. 23, 2013, and did not get a meaningful reply until Dec. 2, when a Tinder employee asked for more time to fix the problem. The hole was patched at some point before Jan. 1, 2014, Cabetas says. Tinder has not made any public acknowledgment of the issue. Tinder Chief Executive Officer Sean Rad did not respond to a phone call or e-mail seeking comment.
So if I were one of these hackers that wanted to exploit the security flaw, how would one go about it? Is it easy? Do I have to hack the Gibson? Via Include Security:
I can create a profile on Tinder, use the API to tell Tinder that I’m at some arbitrary location, and query to API to find a distance to a user. First I need to find them within a 25 mile radius or so. I can do this by repeatedly telling the Tinder API I am moving my location and guessing, adjusting my guess based on the new distance I get from the API. I can also just assume that I know what city my target lives in.
This seems to be an easily manipulated flaw that could have exposed a lot of users to unwelcome creepers. It also gives me another reason to not put too many apps on my phone. Every time you install one you have to agree to something you probably won’t read, so i’ll just stick to the basics and date like normal people by staring at you at the bar for 4 hours.
Via Business Week, Gawker