A Tinder security flaw exposed users' locations for at least a month
You know how pundits like to clutch their pearls and moan about the dangers of Tinder, and how hookup apps are leading to the degradation of modern courtship as we know it? Well, it turns out they might’ve been right about Tinder being dangerous, though not for the reason they’d expect.
Internet security researchers have revealed that between October and December of last year, a security flaw in the app inadvertently revealed Tinder user locations within 100 feet, so anyone with “rudimentary” hacking skills could’ve tracked them down. And not only did Tinder not inform their user base of the security flaw, they ignored it for at least a month, the researchers say.
Although Tinder is supposed to reveal users’ locations to the nearest mile, last October researchers at Include Security in New York discovered that the app was actually exposing user distance to 15 decimal places, so someone could potentially identify a user’s location within 100 feet of where they actually were. Meaning if someone really wanted to, they could potentially track you down... like, to your house. Which is a place you maybe still live.
The security flaw obviously has terrifying implications for Tinder users, not to mention for the company itself, who would’ve presumably been held liable if someone had stalked or harassed a user through the app. Yet when Include Security head Erik Cabetas informed Tinder of the flaw on Oct. 23, the company failed to respond until Dec. 2, when they informed Cabetas they needed more time to work on the bug.
Cabetas says Tinder finally fixed the bug sometime around Jan. 1, and that it was related to a previous security vulnerability that emerged sometime around Jul. 2013. He posted a timeline of his team’s (largely one-sided) communications with Tinder on the Include Security blog. “I wouldn’t say they were extremely cooperative,” he says of the company (Tinder has not yet commented on the security flaw).
As BusinessInsider points out, this is not the first time Tinder has been exposed for violating its users’ security: as recently as last July, a Quartz investigation pointed out that a simple hack could yield a user’s latitude and longitude.
In the same vein, Cabetas says this particular security flaw only required “rudimentary Web coding skills” to take advantage of: “This is not a very advanced exploitation scenario,” he says. So while everything in Tinderland seems to be copacetic for now, the implications of the latest vulnerability—and the company’s demonstrated lack of regard for the safety and security of their user base—are somewhat chilling, to say the least.
H/T Business Insider | Screengrab via Tinder