Tinder's callous approach to privacy is getting more brazen. Businessweek says a security flaw exposed the exact latitude and longitude of Tinder users for between 40 to 165 days, with no notice from the company.
According to Businessweek, a white-hat hacking company called Include Security found the loophole, then waited for months for Tinder to respond. Tinder CEO Sean Rad has yet to publicly acknowledge the vulnerability to its users, 45 percent of whom are female.
[Include founder Erik Cabetas] says that his company informed Tinder of the vulnerability on Oct. 23, 2013, and did not get a meaningful reply until Dec. 2, when a Tinder employee asked for more time to fix the problem. The hole was patched at some point before Jan. 1, 2014, Cabetas says. Tinder has not made any public acknowledgment of the issue. Tinder Chief Executive Officer Sean Rad did not respond to a phone call or e-mail seeking comment.
Tinder's popularity with women is due in part to the perceived safety it offers. The app shows you potential matches nearby, but distance is supposed to be rounded to the nearest mile:
In October, however, researchers at Include Security discovered that Tinder servers were actually giving much more detailed information—mileage to 15 decimal places—that would allow any hacker with "rudimentary" skills to pinpoint a user's location to within 100 feet. Depending on the neighborhood, that's close enough to determine with alarming accuracy where, say, an ex-girlfriend is hanging out. [...]
This most recent Tinder flaw was discovered by Max Veytsman, one of Include's resident hackers. Veytsman details his process in a YouTube clip and this blog post, which includes a timeline of patchy correspondence with Tinder's Rad. "I wouldn't say they were extremely cooperative," Cabetas says.
Include Security's blog post goes into detail about how a stalker might be able to exploit the feature to find a "target":
I can create a profile on Tinder, use the API to tell Tinder that I'm at some arbitrary location, and query to API to find a distance to a user. First I need to find them within a 25 mile radius or so. I can do this by repeatedly telling the Tinder API I am moving my location and guessing, adjusting my guess based on the new distance I get from the API. I can also just assume that I know what city my target lives in.
We've reached out to Tinder for comment and will update the post if we hear back. Sean Rad may not want to talk to reporters or helpful hackers about a months-long privacy breach, but he's more than happy to chat about how Tinder turned dating into a millennial addiction or the company's gold medal in hook-ups.
Update: Tinder just sent Valleywag the following statement from CEO Sean Rad:
"Include Security identified a technical exploit that theoretically could have led to the calculation of a user's last known location. Shortly after being contacted, Tinder implemented specific measures to enhance location security and further obscure location data. We did not respond to further inquiries about the specific security remedies and enhancements taken as we typically do not share the specifics of Tinder's security measures. We are not aware of anyone else attempting to use this technique. Our users' privacy and security continue to be our highest priority."
An earlier version of this post stated that Include Security took down their blog post. It was never deleted, BusinessWeek just linked out to a draft version.
To contact the author of this post, please email firstname.lastname@example.org.
[Video via Include Security]