Researchers Discover Location Leaks in Six Dating Apps
Published On: August 1, 2024
Researchers from KU Leuven University have identified significant privacy vulnerabilities in six popular dating apps. These vulnerabilities could potentially allow malicious users to pinpoint the near-exact location of other users, raising serious concerns about user safety and privacy.
The affected apps—Hinge, Happn, Bumble, Grindr, Badoo, and Hily—were found to exhibit forms of "trilateration," a GPS-based method that can be exploited to expose users' approximate locations. This discovery has prompted some of these platforms to take immediate action to enhance their security measures.
The six dating apps were categorized into three types of trilateration. First, there is Exact Distance Trilateration, which can pinpoint a target within a 111-meter square at the equator. Grindr is particularly susceptible to this form of trilateration. The second category is Rounded Distance Trilateration, which uses distance filters to approximate a location, much like a Venn diagram, and is employed by Happn. Lastly, there is Oracle Trilateration, used by Badoo, Bumble, Hinge, and Hily. This technique allows malicious users to locate another user up to 2 meters away. It involves moving in increments until the target is no longer within proximity and triangulating data from three different positions to pinpoint one spot.
Vulnerabilities across apps
The researchers found that these vulnerabilities were caused by the apps using exact locations for their distance filters despite not displaying exact locations to users. This design flaw could be exploited by users with malicious intent, posing a significant threat to user safety.
Grindr's Chief Privacy Officer, Kelly Peterson Miranda, noted that users could disable their distance display from their profiles, emphasizing that "Grindr users are in control of what location information they provide." However, the app remains susceptible to exact distance trilateration, allowing users to be located within 111 meters.
Bumble's Vice President of Global Communications, Gabrielle Ferree, stated that the company "swiftly resolved the issues outlined" with its distance filter last year. As Badoo is owned by Bumble, Ferree's statement covers both brands.
Hily's Co-founder and CTO, Dmytro Kononov, acknowledged a potential vulnerability but claimed that exploiting it for attacks was impossible due to their internal protective mechanisms. The company has since developed new geocoding algorithms to eliminate this type of attack.
The discovery of these vulnerabilities has sparked a broader discussion about user safety in the digital age. As more people rely on dating apps for connection, ensuring user privacy and security remains paramount. While some apps have made strides in protecting their users, the findings highlight the ongoing need for vigilance and innovation in app security.
Reader concerns: Protecting your privacy
For readers concerned about their privacy on dating apps, there are practical steps you can take to protect yourself. Regularly review and update your app’s privacy settings to ensure you’re not sharing more information than necessary. Consider disabling precise location features and using strong, unique passwords to enhance account security. If you encounter suspicious behavior, report it immediately to the app’s support team. Being aware of these vulnerabilities and taking proactive measures can help safeguard your online interactions while using these platforms.