Tinder users could have had their near-exact location revealed for more than two months last year while a flaw in the app remained unfixed. The flaw, which has since been patched, could have allowed a hacker to triangulate a user's location to within 100 feet. Utilizing the flaw meant knowing a user's current city and their behind-the-scenes identifier in the app, however, which meant that the hacker would likely have had to intercept their target's phone traffic in the past before putting the vulnerability to use.
The vulnerability may have been around since July
The security firm IncludeSec detailed the flaw in a blog posttoday. The firm says that it identified the vulnerability and first reporting it to Tinder in late October. Though Tinder did not communicate to IncludeSec that the vulnerability had been fixed, IncludeSec determined that the issue was resolved by January 1st. Largely, the issue appears to have been that Tinder was sending far more location data about its users than it needed to.
Though the flaw was only identified in October, IncludeSec suggests that it may have been around since as far back as July — immediately after Tinder fixed a separate location vulnerability. This new vulnerability was presumably an unintended side effect of fixing the initial flaw, which could have allowed hackers to learn a Tinder user's location even more precisely by finding their exact coordinates. When reached for comment by The Verge, Tinder said that it was at work on a statement. We'll update with any response.
While the flaw appears to have come and gone without issue, this type of behavior is unlikely to go away anytime soon. An increasing number of apps — such as Tinder and Grindr — have been making heavy use of basic location data to introduce users to others nearby them. It's a fun mechanic, but one that obviously lends itself to plenty of privacy concerns. For now, IncludeSec hasn't pointed to any other location flaws within Tinder, so its users should be able to go back to safely swiping others' pictures from wherever they choose.
Update: Tinder says that it resolved the flaw shortly after being contacted by IncludeSec, and that it is not aware of any other parties that attempted to use this vulnerability while it was active. A statement from CEO Sean Rad is below.
"Include Security identified a technical exploit that theoretically could have led to the calculation of a user’s last known location. Shortly after being contacted, Tinder implemented specific measures to enhance location security and further obscure location data. We did not respond to further inquiries about the specific security remedies and enhancements taken as we typically do not share the specifics of Tinder's security measures. We are not aware of anyone else attempting to use this technique. Our users’ privacy and security continue to be our highest priority."