Four popular dating apps that together can claim 10 million users have been found to leak precise locations of their members.
“By simply knowing a person’s username we can track them from home, to work,” explained Alex Lomas, researcher at Pen Test Partners, in a blog on Sunday. “We can find out where they socialize and hang out. And in near real-time.”
The firm created a tool that brings together information on Grindr, Romeo, Recon and 3fun users. It uses spoofed locations (latitude and longitude) to retrieve the distances to user profiles from multiple points, and then triangulates the data to return the precise location of a specific person.
For Grindr, it’s also possible to go further and trilaterate locations, which adds in the parameter of altitude.
“The trilateration/triangulation location leakage we were able to exploit relies solely on publicly accessible APIs being used in the way they were designed for,” Lomas said.
He also found that the location data collected and stored by these apps is also very precise – 8 decimal places of latitude/longitude in some cases.
Lomas points out that the risk of this type of location leakage can be elevated depending on your situation – especially for those in the LGBT+ community and those in countries with poor human rights practices.
“Aside from exposing yourself to stalkers, exes and crime, de-anonymizing individuals can lead to serious ramifications,” Lomas wrote. “In the UK, members of the BDSM community have lost their jobs if they happen to work in ‘sensitive’ professions like being doctors, teachers, or social workers. Being outed as a member of the LGBT+ community could also lead to you using your job in one of many states in the USA that have no employment protection for employees’ sexuality.”
He added, “Being able to identify the physical location of LGBT+ people in countries with poor human rights records carries a high risk of arrest, detention, or even execution. We were able to locate the users of these apps in Saudi Arabia for example, a country that still carries the death penalty for being LGBT+.”
Chris Morales, head of security analytics at Vectra, told Threatpost that it’s problematic if someone concerned about being located is opting to share information with a dating app in the first place.
“I thought the entire purpose of a dating app was to be found? Anyone using a dating app was not exactly hiding,” he said. “They even work with proximity-based dating. As in, some will tell you that you are near someone else that might be of interest.”
He added, “[As for] how a regime/country can use an app to locate people they don’t like, if someone is hiding from a government, don’t you think not giving your information to a private company would be a good start?”
Dating apps notoriously collect and reserve the right to share information. For instance, an analysis in June from ProPrivacy found that dating apps including Match and Tinder collect everything from chat content to financial data on their users — and then they share it. Their privacy policies also reserve the right to specifically share personal information with advertisers and other commercial business partners. The problem is that users are often unaware of these privacy practices.
Further, aside from the apps’ own privacy practices allowing the leaking of info to others, they’re often the target of data thieves. In July, LGBQT dating app Jack’d has been slapped with a $240,000 fine on the heels of a data breach that leaked personal data and nude photos of its users. In February, Coffee Meets Bagel and OK Cupid both admitted data breaches where hackers stole user credentials.
Awareness of the dangers is something that’s lacking, Morales added. “Being able to use a dating app to locate someone is not surprising to me,” he told Threatpost. “I’m sure there are plenty of other apps that give away our location as well. There is no anonymity in using apps that advertise personal information. Same with social media. The only safe method is not to do it in the first place.”
Pen Test Partners contacted the various app makers about their concerns, and Lomas said the responses were varied. Romeo for instance said that it allows users to reveal a nearby position rather than a GPS fix (not a default setting). And Recon moved to a “snap to grid” location policy after being notified, where an individual’s location is rounded or “snapped” to the nearest grid center. “This way, distances are still useful but obscure the real location,” Lomas said.
Grindr, which researchers found leaked a very precise location, didn’t respond to the researchers; and Lomas said that 3fun “was a train wreck: Group sex app leaks locations, pics and personal details.”
He added, “There are technical means to obfuscating a person’s precise location whilst still leaving location-based dating usable: Collect and store data with less precision in the first place: latitude and longitude with three decimal places is roughly street/neighborhood level; use snap to grid; [and] inform users on first launch of apps about the risks and offer them real choice about how their location data is used.”