Why it matters: According to Stanford sociologists, online dating apps and websites are now the most common way for couples to meet, with almost half of all heterosexual couples being part of an upward trend that was monitored between 2009 and 2017.
We’ve known for a while now that online dating apps aren’t nearly as anonymous as we might think, and that’s mostly a product of how much information we’re voluntarily giving them. That’s why attackers see these as goldmines where they can probe for personal user details such as the name of your employer, your address, and your current location among other things.
It turns out the most popular dating apps have a vulnerability in official mobile APIs that allows malicious actors to get access to the location data gathered by the apps for convenience purposes. An important thing to note here is that all that’s needed to exploit this flaw is the username.
The problem was uncovered by security research firm Pen Test Partners, who were able to demonstrate an attack tool that exposed sensitive user information about where users live, socialize, and work in near real-time. The apps that are vulnerable to this attack are Romeo, Grindr, 3Fun and Recon, and the potential userbase that is at risk amounts to 10 million users.
“Many of these apps return an ordered list of profiles, often with distances in the app UI itself,” says one of the researchers. “By supplying spoofed locations (latitude and longitude) it is possible to retrieve the distances to these profiles from multiple points, and then triangulate or trilaterate the data to return the precise location of that person.”
The researchers notified the makers of the four dating apps, and the responses were mixed. Romeo explained that its app has a feature that allows you to give out a nearby location instead of the exact one, but this isn’t enabled by default. Recon says it’s rolling out a similar fix that reduces the precision of location data using “snap to grid.”
Grindr offered no response, presumably because they previously explained to the researchers that the app’s location data can be compared to a “square on an atlas”. Unfortunately, Pen Test Partners tested that claim and found the location data to be very precise, and were able to “pinpoint our test accounts down to a house or building.”
Apparently, group dating app 3Fun was the most vulnerable of the four. Researchers said it not only leaked the locations of its users, but also their chat data, pictures, and sexual preferences among other things. They first published their analysis on the app last week, when they described it as a “train wreck.”
The report highlights the need for Google and Apple to build less precise location APIs for dating apps and for developers to use a snap-to-grid approach that reduces the precision of location data. The two tech giants are already removing dating apps that allow underage users, but it’s important to be aware that some apps might not be able to protect your personal data even after you’ve turned on all the privacy settings.