Tinder Dating App Users Are Playing With Privacy Fire

Feb 18 2014, 11:33am CST | by

Tinder Dating App Users Are Playing With Privacy Fire
Photo Credit: Forbes Business

The wildly popular Tinder app has perfected the art of the frictionless hookup to levels not seen since Erica Jong lost her fear of flying in the ’70s. Part of the appeal is how responsive and location-aware the app is. Olympic athletes in Sochi, whose lives are devoted to speed, are reportedly using the app to spice up their downtime.

Unfortunately, two of the aspects responsible for the high quality of its user experience also potentially put its users at risk for stalking by predators with a modicum of hacking ability. First, the location processing takes place on the client side, so actual location data for matched users in a 25 mile radius is delivered directly to the user’s device, unmediated by the Tinder servers. Second, that data is incredibly accurate, within 100 ft. or less.

In July, a security vulnerability was reported concerning how Tinder was sending latitude and longitude co-ordinates of potential matches directly to iOS client apps. Researchers Erik Cabetas and Max Veytsman from the NYC-based firm Include Security began to investigate. “Anyone with rudimentary programming skills could query the Tinder API directly and pull down the co-ordinates of any user,” they write on the company’s blog. “We found a vulnerability that lets you get exact latitude and longitude co-ordinates for any Tinder user. “

Tinder fixed this issue, but Cabetas and Veytsman discovered that the fix itself created another vulnerability which they then reported to the company. Security companies do this all the time to demonstrate their chops and generate publicity. This case is particularly interesting both because of Tinder’s rapidly growing popularity and because according to Cabetas and Veytsman, “flaws in location information handling have been common place in the mobile app space and continue to remain common if developers don’t handle location information more sensitively.”

For those unfamiliar with the app, Tinder displays a pile of snapshots of potential dates in a user’s immediate area. If both sides of a match express interest, they have the option to message each other directly inside the app. The rest is up to them. What makes Tinder  particularly popular is that it works equally well for people who just want the vicarious pleasure of cruising with no real intention of following through as it does for those who really want to hookup in real life.

But what if just creating an account on Tinder and opening the app occasionally is enough to make your location visible to someone you have no intention of ever meeting? This was the possibility raised by this second Tinder vulnerability, and by many location-based apps with oversharing APIs.

The “fixed” version of Tinder replaced the GPS latitude and longitude coordinates with very precise distances (in miles to 15 decimal places, which is literally about five feet!) But knowing how far away you are from a person doesn’t tell you anything about direction, right? It can if you are a little clever and studied trigonometry in High School.

There is a form of triangulation called trilateration that enables you to use geometry to calculate a precise location based on a set of three precise distances. So, if you know that you can query the Tinder API for the precise distance of a user based on their ID, all you need is to create three dummy accounts to acquire the three required distances.

To show how such a process can be automated, Cabetas and Veytsman created a (private) app (for demonstration only) called Tinder Finder (see video below) that coordinates the activities of the dummy accounts and calculates the position of the targeted user. The researchers explain that while their “Proof of concept attack uses Facebook authentication to find the user’s Tinder id, Facebook is NOT needed to exploit this vulnerability, and no action by Facebook could mitigate this vulnerability.”

Tinder Finder:

So what does this mean in practical terms for the users of location-based apps? Most importantly, not to take an app’s word for it that your location data is secure when using it. There is simply not the authentication infrastructure yet in place to assure both  the security and ease of use that would make these apps genuinely bullet-proof. Many players are working on this problem, from Apple to Google to the FIDO Alliance, but until there is some clear consensus between hardware and software that users adopt widely, these kind of vulnerabilities will only increase.

For app makers it seems that making user IDs harder to “sniff” and making dummy accounts harder to acquire can make triangulation schemes more difficult. For users, forgoing the ease of Facebook or Google authentication may make sniffing out your user ID more challenging for hackers and being sure to close the app when not in use will cut down on the amount of location data the app has access to in the first place.

None of this, I am sure, will keep people from using Tinder. This is about sex, after all, and risk, for many, is part of the turn on. But it wouldn’t take very many incidents of aggressive unwanted attention linked to such an app to change the whole landscape for location-based services. Fortunately, no such problems have been reported in relation to Tinder.

The good news is that, as of this writing, Include Security tells me that  although the window for this exploit was open for a couple of months it seems now that appropriate action has been taken which has rendered the issue “unreproducible.” There are, however, many such apps out there and new ones appearing each day, so we probably have not heard the last of this tricky bit of triangulation.

– – – – – – – – – – – – – – – – – – – –

To keep up with Quantum of Content, please subscribe to my updates on Facebook, follow me on Twitter and App.net or add me on Google+.

Source: Forbes Business

 
 

Don't miss ...

 

<a href="/latest_stories/all/all/30" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

blog comments powered by Disqus

Latest stories

Syria ensures medicine supplies for chronic diseases
Damascus, Oct 31 (IANS) Despite the nearly four-year crisis and the suffocating economic sanctions against Syria, the health sector in war-torn country is still able to secure medicines for the chronic diseases free of charge, health officials said Thursday.
 
 
China's aid to fight Ebola arrives in Ghana
Accra, Oct 30 (IANS) Chinese medical supplies and equipment to aid Ghana's fight against the outbreak of the deadly Ebola Viral Disease arrived at the Kotoka International Airport in Accra late Wednesday night.
 
 
EU lifts decade-long economic sanctions on Zimbabwe
Harare, Oct 30 (IANS) The European Union (EU) has lifted its decade-long economic sanctions on Zimbabwe in a move that will see the trading bloc extending 234 million Euros (about 300 million dollars) to support programmess in the country.
 
 
World Bank pledges more funds for Ebola flight in West Africa
Accra, Oct 30 (IANS) The World Bank announced Thursday an additional $100-million support package in its Ebola response activities for three West African countries ravaged by the epidemic.
 
 
 

Latest from the Network

China captures 180 economic crimes suspects abroad
Beijing, Oct 31 (IANS) China has captured 180 economic crime suspects abroad since a campaign began in July, the ministry of public security said Thursday. The suspects were apprehended in 40 countries and regions:...
Read more on Politics Balla
 
It would be ideal to settle down: Nick Jonas
Los Angeles, Oct 31 (IANS) Pop star Nick Jonas thinks it would be "ideal" to get married. The "Jealous" singer is smitten with beauty queen Olivia Culpo, who he has been dating for 18 months, and would love to make...
Read more on Celebrity Balla
 
Robbie Williams names son Charlton Valentine
Los Angeles, Oct 31 (IANS) Singer Robbie Williams has named his newborn son Charlton Valentine Williams. The child was born Monday here and Robbie shared a humorous video online, showing his wife Ayda Field pushing...
Read more on Celebrity Balla
 
Taylor Swift's 'creepy' nickname
Taylor Swift has revealed her ''creepiest'' nickname. The 'Shake It Off' hitmaker has been dubbed ''Dead Tooth'' by Bleachers' frontman, Jack Antonoff, after she chipped her tooth on a microphone. Jack told MTV: ''I...
Read more on Celebrity Balla
 
Jennifer Lopez opens up about abusive past
Jennifer Lopez's soul felt ''diminshed'' after she suffered abuse from a previous partner. The 'Booty' hitmaker spoke out in her memoir, 'True Love', about the emotional and mental abuse she received from an unnamed ex...
Read more on Celebrity Balla
 
Nick Jonas's fight for serious acting roles
Nick Jonas has admitted that he has to work to make people take him seriously. The 22-year-old - who was in a band with his siblings, the Jonas Brothers, for eight years - has admitted that his image as a Disney star...
Read more on Celebrity Balla
 
Kris Jenner: My kids lost confidence
Kris Jenner's children lacked confidence when they were younger. The 58-year-old television personality and mother to six - Kourtney, 35; Kim, 34; Khloe, 30; Rob, 27; Kendall, 18 and Kylie, 17 - was desperate to be...
Read more on Celebrity Balla
 
'American Gigolo' set for TV remake
Los Angeles, Oct 31 (IANS) Richard Gere starrer movie "American Gigolo" is set to be remade as a crime drama series for television. Movie mogul Jerry Bruckheimer, who produced the 1980 film, will serve as executive...
Read more on Celebrity Balla
 
UN, AU chiefs mourn Zambia's late president
Lusaka, Oct 31 (IANS) Messages of condolences on the death of Zambian late president Michael Sata continued pouring here Thursday, with the latest coming from the heads of the United Nations (UN) and the African Union...
Read more on Politics Balla
 
Aniston, Theroux still a couple
Los Angeles, Oct 31 (IANS) Jennifer Aniston, who was recently spotted without her engagement ring, has not split from Justin Theroux. The actress removed the ring to get it cleaned, says her spokesperson. The 45-year-...
Read more on Celebrity Balla