Security researchers discovered that four popular dating apps have been leaking the exact locations of their users.
Grindr, Romeo, Recon, and 3fun, according to security company Pen Test Partners, were potentially putting the location data of as many as 10 million users at risk.
The security firm says it was able to create a tool that allowed them to enter any location and quickly learn exactly where users of the four apps were located.
“By supplying spoofed locations (latitude and longitude) it is possible to retrieve the distances to these profiles from multiple points, and then triangulate or trilaterate the data to return the precise location of that person,” a blog post from the firm explained.
The company goes on to add that individual users can even be tracked “in near real-time” by simply knowing their usernames.
“Asides from exposing yourself to stalkers, exes, and crime, de-anonymizing individuals can lead to serious ramifications,” the blog post says.
The discovery is especially worrying given that some of the apps cater specifically to members of the LGBT+ community. Pen Test Partners says it was able to locate users in countries such as Saudi Arabia, which “still carries the death penalty for being LGBT+.”
“It is difficult for users of these apps to know how their data is being handled and whether they could be outed by using them,” the company writes. “App makers must do more to inform their users and give them the ability to control how their location is stored and viewed.”
After contacting the companies behind the apps, Pen Test Partners says it received a degree of different responses.
The company behind the Romeo app pointed to a feature that allows users to not use their exact location, but the security firm says the option is not enabled by default and is buried in the app’s settings.
3Fun stated that it would “fix the problems as soon as possible” after being made aware.
Recon likewise stated that it would fix the issue and is believed to have done so within the last few days.
Grindr, on the other hand, did not respond to the incident.
Pen Test Partners says it hopes its discovery will allow users to become more aware of how vulnerable their private information is once it’s handed over to dating apps.
- Startup secretly collected millions of Instagram users’ location data, stories
- Twitter bug shared some user’s location data without their consent
- New Google feature will let users auto-delete location data
H/T Threat Post