Dating apps Bumble, Hinge exposed users to stalkers. Say what!
A team of researchers from KU Leuven, a university in Belgium, has uncovered significant security flaws in popular dating apps including Bumble and Hinge. The flaws were found in the "filters" feature of these apps, which users utilize to customize their partner search based on criteria like distance. The vulnerabilities allowed potential attackers to determine the precise location of other users within a 2-meter radius.
Flaws exploited in-app 'filters' feature
Although these apps did not directly disclose exact locations when showing the distance between users on their profiles, they did use precise locations for this filtering feature. This loophole could be exploited by potential attackers to pinpoint a user's location. The study scrutinized 15 widely used dating apps including Badoo, Grindr, happn, and Hily, and identified similar issues in them as well.
'Oracle trilateration' technique used to exploit flaw
The researchers employed a method known as "oracle trilateration" to exploit this security flaw and determine the exact location of a target user. This involved estimating the victim's location based on the information displayed in their profile, and then gradually moving until the oracle indicated that they were no longer nearby. The process was repeated in three different directions, enabling an attacker to triangulate their victim's position.
Researchers express surprise at persistent issues
Karel Dhondt, one of the researchers involved in the study, expressed surprise that these known issues were still present in popular apps. He pointed out that while this method does not reveal the exact GPS coordinates of a victim, a proximity of two meters is close enough to pinpoint a user's location. The research team has since contacted all affected apps about these vulnerabilities.
Apps respond with changes to distance filters
In response to the researchers' findings, all affected apps have now altered how their distance filters function. The solution involved rounding up the exact coordinates by three decimals, thereby reducing their precision and accuracy. "This is approximately an uncertainty of one kilometer," Dhondt explained. Bumble confirmed being made aware of these findings in early 2023 and promptly addressed the issues highlighted.
Hily and Happn take action to address vulnerability
Dmytro Kononov, CTO and co-founder of Hily, revealed that the company was informed about the vulnerability in May last year. Following extensive consultations with the researchers, new geocoding algorithms were developed to prevent this type of attack. Happn CEO Karima Ben Abdelmalek also confirmed that her company was contacted by the researchers last year, and has since implemented additional protection measures beyond just rounding distances.
Grindr's location accuracy limited to 111 meters
The study found that Grindr could pinpoint users within approximately 111 meters of their exact coordinates. This is due to the app rounding users' precise locations by three decimals. Kelly Peterson Miranda, Chief Privacy Officer at Grindr, clarified that this was an intentional feature and not a bug. She further added that users have the option to hide their distance if they choose to do so.
