Quartz's Zachary Seward reports that Tinder, the hookup app du jour, was leaving your physical location and Facebook information open to prying eyes. It fixed the bug, but how long was your secret sexting identity open for the stealing?
The company, in a statement to Quartz, says the bug was shortlived:
”We had a very, very, very brief security flaw that we patched up very quickly,” Tinder CEO Sean Rad said. “We were not exposing any information that can harm any of our users or put our users in jeopardy.”
Are we sure about that? Your location and real name—the exact things Tinder is designed to playfully obscure—could put someone in jeopardy. It looks like the flaw was noticed over the weekend:
Uh, Branch hackathon demo reveals that the Tinder API is the creepiest thing ever. Can get mobile location data and FB URLs for… every user.— Libby Brittain (@libbybrittain) July 20, 2013
and fixed by yesterday at the latest:
What's worrying here isn't actually the bug, which would only reveal your coordinates and Facebook details (like name and maybe college) if some creep was stalking around on the same Wi-Fi network as you. What's worrying is that Tinder didn't tell any of its many users, if only to reassure them that in all likelihood, their romantic business wasn't plucked out of the airwaves. You don't want to look less transparent than Apple.
Update: A Tinder rep provided the following comment:
We take the privacy of our users very seriously and have taken the appropriate measures to ensure that our user data cannot be accessed from anyone inside or outside the company. We became privy to a minor security flaw related to one of our releases and patched it up within hours of that release.Since Tinder's inception, we've implemented multiple precautions to protect our user data, including encryption. This minor leak was first brought to our attention by one of our engineers and we resolved it very quickly, before it was able to cause any harm to our users.