Developers with the popular dating application Tinder have fixed a vulnerability that up until last year could’ve allowed users to track other users, thanks to a hole in the app’s API and some old fashioned trigonometry.
Max Veytsman, a Toronto-based researcher with Include Security disclosed the vulnerability Wednesday on the firm’s blog, claiming that before it was fixed he could find the exact location of any Tinder user with a fairly high level of accuracy, up to 100 feet.
Tinder, available on iOS and Android, has been massively popular over the last year. It routinely appears in Apple’s list of most downloaded apps and apparently has been all the rage at this winter’s Olympic games in Sochi, Russia, with reports that many athletes are using it to kill downtime.
The app is a location-aware dating platform that allows users to swipe through images of nearby strangers. Users can either “like” or “nope” images. If two users “like” each another, they can message each other. Location is critical for the app to function — beneath each image Tinder tells users how many miles away they are from potential matches.
Include Security’s vulnerability is tangentially related to a problem in the app from last year wherein anyone, given a little work, could mine the exact latitude and longitude of users.
That hole surfaced in July and according to Veytsman, at the time “anyone with rudimentary programming skills could query the Tinder API directly and pull down the coordinates of any user.”
While Tinder fixed that vulnerability last year, the way they fixed it left the door open for the vulnerability that Veytsman would go on to find and report to the company in October.
Veytsman found the vulnerability by doing something he usually does in his spare time, analyze popular apps to see what he finds. He was able to proxy iPhone requests to analyze the app’s API and while he didn’t find any exact GPS coordinates – Tinder removed those – he did find some useful information.
It turns out before it fixed the problem, Tinder was being very exact when it communicated with its servers just how many miles apart users are from one another user. One part of the app’s API, the “Distance_mi” function tells the app almost exactly (up to 15 decimal points) how many miles a user is from another user. Veytsman was able to take this data and triangulate it to determine a user’s most recent locations.
Veytsman simply created a profile on the app, used the API to tell it he was at a random location and from there, was able to query the distance to any user.
“When I know the city my target lives in, I create three fake accounts on Tinder. I then tell the Tinder API that I am at three locations around where I guess my target is.”
To make it even easier, Veytsman even created a web app to exploit the vulnerability. For privacy sake, he never released the app, dubbed TinderFinder, but claims in the blog he could find users by either sniffing a users’ phone traffic or inputting their user ID directly.
While Tinder’s CEO Sean Rad said in a statement yesterday that the company fixed the problem “shortly after being contacted” by Include Security, the exact timeline behind the fix remains a little hazy.
Veytsman says the group never got a response from the company aside from a quick message acknowledging the issue and asking for more time to implement a fix.
Rad claims Tinder didn’t respond to further inquiries as it does not typically share specific “enhancements taken” and that “users’ privacy and security continue to be our highest priority.”
Veytsman just assumed the app was fixed at the beginning of this year after Include Security researchers looked at the app’s server side traffic to see if they could find any “high precision data” leakage but discovered that none was being returned, suggesting the problem was fixed.
Since the researchers never got an official response from Tinder that it had been patched and since the issue was no longer “reproducible,” the group decided it was the right time to post their findings.
