How Sex And Dating Apps Are ‘Leaking’ Your Data

Dating apps, including Tinder and Grindr, can easily be hacked to reveal users’ exact location, security experts have warned.

A flaw in the apps leaves users vulnerable to stalking and persecution, according to researchers Patrick Wardle and Colby Moore from cybersecurity firm Synack, who detailed the security weakness at hacker conference ShmooCon 2015 this week in Washington, DC.

Poor encryption

The researchers explained how they managed to track app users’ movement throughout the day by spoofing requests to the servers behind those apps. An app could transmit user location to its servers insecurely if they data was sent in plaintext or if was not encrypted properly.

The vulnerability was discovered in dating app Tinder, as well as an array of other popular apps including Angry Birds, Starbucks and Whisper.

One of the most vulnerable apps they tested, though, was Grindr, a geosocial networking application geared towards gay, bisexual, and bi-curious men.

Moore demonstrated how he managed to abuse the flaw to compile one-time snapshots of 15,000 Grindr users in the San Francisco Bay area, as well as users of the app at the Sochi Olympics.

Wardle explained: “If you track a person’s public movements, you can generate an incredible amount of personal data.”

The vulnerability has already been exploited to persecute app users, according to the researchers, who said that it was being used to harass and attack Grindr users in Egypt.

Synack apparently warned Grindr about the vulnerability, but creators of the app said its location finding system is a “core function” of the app rather than a security problem.

Grindr did, however, update versions of the app in countries where homosexuality is illegal or which have a history of violence against gay people, including Egypt, Liberia, Nigeria, Russia, Saudi Arabia, Sudan and Zimbabwe.

But Moore believes Grindr could do more to protect users, by making it a lot more difficult for people to exploit the bug. Grindr’s developers could do this by analysing where people make location requests from and stopping those that were obviously spoofed, he said. The firm could also make the location data less precise to help obscure people’s locations, he added.

How much do you know about hacking? Take our quiz!