360° Coverage : Tinder Dating App Users Are Playing With Privacy Fire

2 Updates
Tinder Dating App Users Are Playing With Privacy Fire
Photo Credit: Forbes Business

Tinder Dating App Users Are Playing With Privacy Fire

Feb 18 2014, 11:33am CST | by

The wildly popular Tinder app has perfected the art of the frictionless hookup to levels not seen since Erica Jong lost her fear of flying in the ’70s. Part of the appeal is how responsive and...

Filed under: news

 
 
 

35 weeks ago

Tinder Dating App Users Are Playing With Privacy Fire

Feb 18 2014, 11:33am CST | by

The wildly popular Tinder app has perfected the art of the frictionless hookup to levels not seen since Erica Jong lost her fear of flying in the ’70s. Part of the appeal is how responsive and location-aware the app is. Olympic athletes in Sochi, whose lives are devoted to speed, are reportedly using the app to spice up their downtime.

Unfortunately, two of the aspects responsible for the high quality of its user experience also potentially put its users at risk for stalking by predators with a modicum of hacking ability. First, the location processing takes place on the client side, so actual location data for matched users in a 25 mile radius is delivered directly to the user’s device, unmediated by the Tinder servers. Second, that data is incredibly accurate, within 100 ft. or less.

In July, a security vulnerability was reported concerning how Tinder was sending latitude and longitude co-ordinates of potential matches directly to iOS client apps. Researchers Erik Cabetas and Max Veytsman from the NYC-based firm Include Security began to investigate. “Anyone with rudimentary programming skills could query the Tinder API directly and pull down the co-ordinates of any user,” they write on the company’s blog. “We found a vulnerability that lets you get exact latitude and longitude co-ordinates for any Tinder user. “

Tinder fixed this issue, but Cabetas and Veytsman discovered that the fix itself created another vulnerability which they then reported to the company. Security companies do this all the time to demonstrate their chops and generate publicity. This case is particularly interesting both because of Tinder’s rapidly growing popularity and because according to Cabetas and Veytsman, “flaws in location information handling have been common place in the mobile app space and continue to remain common if developers don’t handle location information more sensitively.”

For those unfamiliar with the app, Tinder displays a pile of snapshots of potential dates in a user’s immediate area. If both sides of a match express interest, they have the option to message each other directly inside the app. The rest is up to them. What makes Tinder  particularly popular is that it works equally well for people who just want the vicarious pleasure of cruising with no real intention of following through as it does for those who really want to hookup in real life.

But what if just creating an account on Tinder and opening the app occasionally is enough to make your location visible to someone you have no intention of ever meeting? This was the possibility raised by this second Tinder vulnerability, and by many location-based apps with oversharing APIs.

The “fixed” version of Tinder replaced the GPS latitude and longitude coordinates with very precise distances (in miles to 15 decimal places, which is literally about five feet!) But knowing how far away you are from a person doesn’t tell you anything about direction, right? It can if you are a little clever and studied trigonometry in High School.

There is a form of triangulation called trilateration that enables you to use geometry to calculate a precise location based on a set of three precise distances. So, if you know that you can query the Tinder API for the precise distance of a user based on their ID, all you need is to create three dummy accounts to acquire the three required distances.

To show how such a process can be automated, Cabetas and Veytsman created a (private) app (for demonstration only) called Tinder Finder (see video below) that coordinates the activities of the dummy accounts and calculates the position of the targeted user. The researchers explain that while their “Proof of concept attack uses Facebook authentication to find the user’s Tinder id, Facebook is NOT needed to exploit this vulnerability, and no action by Facebook could mitigate this vulnerability.”

Tinder Finder:

So what does this mean in practical terms for the users of location-based apps? Most importantly, not to take an app’s word for it that your location data is secure when using it. There is simply not the authentication infrastructure yet in place to assure both  the security and ease of use that would make these apps genuinely bullet-proof. Many players are working on this problem, from Apple to Google to the FIDO Alliance, but until there is some clear consensus between hardware and software that users adopt widely, these kind of vulnerabilities will only increase.

For app makers it seems that making user IDs harder to “sniff” and making dummy accounts harder to acquire can make triangulation schemes more difficult. For users, forgoing the ease of Facebook or Google authentication may make sniffing out your user ID more challenging for hackers and being sure to close the app when not in use will cut down on the amount of location data the app has access to in the first place.

None of this, I am sure, will keep people from using Tinder. This is about sex, after all, and risk, for many, is part of the turn on. But it wouldn’t take very many incidents of aggressive unwanted attention linked to such an app to change the whole landscape for location-based services. Fortunately, no such problems have been reported in relation to Tinder.

The good news is that, as of this writing, Include Security tells me that  although the window for this exploit was open for a couple of months it seems now that appropriate action has been taken which has rendered the issue “unreproducible.” There are, however, many such apps out there and new ones appearing each day, so we probably have not heard the last of this tricky bit of triangulation.

– – – – – – – – – – – – – – – – – – – –

To keep up with Quantum of Content, please subscribe to my updates on Facebook, follow me on Twitter and App.net or add me on Google+.

Source: Forbes Business

 
Update
2

8 weeks ago

Khazanah throws MAS RM6b lifeline

Aug 29 2014 5:01pm CDT | Source: Business Times Singapore

August 30, 2014 1:15 AMKHAZANAH Nasional will inject RM6 billion (SS$2.4 billion) over three years to resuscitate loss-making Malaysia Airlines (MAS) under a recovery plan that includes even an Act of Parliament. Other key moves are migrating its operations, assets and liabilities to a new company (NewCo) and slashing the workforce of 20,000 by ...
Source: Business Times Singapore   Full article at: Business Times Singapore
 

 
Update
1

8 weeks ago

MAS posts loss of RM307m for Q2

Aug 28 2014 5:00pm CDT | Source: Business Times Singapore

August 29, 2014 1:13 AMMALAYSIA Airlines (MAS) registered a loss of RM307 million (S$122 million) for the second quarter to end-June, but warned of worse to come in the second half when the "full financial impact of th ...
Source: Business Times Singapore   Full article at: Business Times Singapore
 

 

Don't miss ...

 

<a href="/latest_stories/all/all/30" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

blog comments powered by Disqus

Latest stories

In tech-era, parent-child relationship blooms on multiple channels
New York, Oct 25 (IANS) Calling home may not be enough, nowadays, to maintain an adequate parent-kid relationship in the era of technology, as connecting via multiple channels such as Facebook, smartphone or email seem to better develop the bond.
 
 
NY, NJ to quarantine travellers from Ebola-affected countries
New York, Oct 25 (IANS/EFE) Medical personnel arriving at New York City airports from Ebola-stricken nations in West Africa will be placed in mandatory quarantine for 21 days, the governors of New York and New Jersey announced.
 
 
Toddler tests positive for marijuana in Puerto Rico
San Juan, Oct 25 (IANS/EFE) A 14-month-old boy tested positive for marijuana in a toxicology exam at a San Juan hospital, where he was admitted after his parents became concerned that he was sleeping too much.
 
 
Hawking joins Facebook, wants people to be 'curious'
New York, Oct 25 (IANS) The famous theoretical physicist professor Stephen Hawking is now on Facebook, asking fans to be "curious".
 
 
 

Latest from the Network

Second MERS case reported in Qatar
Doha, Oct 23 (IANS) A 43-year-old man in Qatar has tested positive for Middle East Respiratory Syndrome (MERS) in the second confirmed case of the deadly virus in 10 days, media reported Thursday. The patient had...
Read more on Business Balla
 
Two people die in Pakistan bomb blast
Islamabad, Oct 23 (IANS) At least two people were killed and 12 others injured in an explosion that took place in Pakistan's Balochistan province Thursday, media reported. The bomb was planted on a motorcycle, Dawn...
Read more on Politics Balla
 
Trott extends contract with Warwickshire till 2017
London, Oct 23 (IANS) England batsman Jonathan Trott, whose mental issues led to his abrupt departure from last winter's Ashes tour, has confirmed his successful comeback to competitive cricket by signing a new three-...
Read more on Sport Balla
 
Srikanth, Kashyap big movers in BWF rankings
Kuala Lumpur, Oct 23 (IANS) Indian men shuttlers Kidambi Srikanth and Parupalli Kashyap jumped seven places each in the latest Badminton World Federation (BWF) rankings released Thursday while Olympic bronze medallist...
Read more on Sport Balla
 
Alvin Stardust dead
London, Oct 23 (IANS) English singer Alvin Stardust died after a short illness. He was 72. Stardust's manager confirmed the news about his demise Thursday, reports mirror.co.uk. He was recently diagnosed with...
Read more on Celebrity Balla
 
Indian man reunited with family after 40 years
Dubai, Oct 23 (IANS) An Indian man, who had disappeared from his hometown in Kerala nearly 40 years ago, has been found by his family at a hospital in Dubai in the UAE, a newspaper report said. Now in his 60s, Abdulla...
Read more on Politics Balla
 
Srikanth, Kashyap, Saina rise in world rankings
Kala Lumpur, Oct 23 (IANS) Indian men shuttlers Kidambi Srikanth and Parupalli Kashyap jumped seven places each in the latest released Badminton World Federation (BWF) rankings Thursday while Olympic bronze medallist...
Read more on Sport Balla
 
Flintoff signs for Big Bash side Brisbane Heat
Brisbane, Oct 23 (IANS) Former England captain and all-rounder Andrew Flintoff, who retired from international cricket in 2009, Wednesday confirmed that he will play for Brisbane Heat in the Big Bash League (BBL) this...
Read more on Sport Balla
 
OPEC daily basket price falls again
Vienna, Oct 23 (IANS/WAM) The basket of 12 crude oils of the Organization of Petroleum Exporting Countries (OPEC) closed at $81.94 a barrel Wednesday compared to $82.09 Tuesday, the OPEC Secretariat said. The new OPEC...
Read more on Business Balla
 
Lopez to sign multi-million dollar deal?
Los Angeles, Oct 23 (IANS) Singer-actress Jennifer Lopez is reportedly in the final stages of securing a multi-million dollar deal to perform in Las Vegas. The 45-year-old is being offered $350,000 per show at The...
Read more on Celebrity Balla