Swipe Right for Data Leaks: Dating Apps Expose Location, More
Apps like Tinder, Bumble, Grindr, Badoo, OKCupid, MeetMe, and Hinge all have API vulnerabilities that expose sensitive user data, and six allow a threat actor to pinpoint exactly where someone is.
Using dating apps
to find love can already be a daunting process. Now, security researchers in Belgium have found that dozens of these apps may threaten users privacy too, by leaking their sensitive data and, worryingly, even their exact location.
Karel Dhondt and Victor Le Pochat, both researchers at Belgian university KU Leuven, analyzed 15 location-based dating apps to see what type of user data a malicious actor might extract from them.
It turns out that all 15 of the apps leaked some type of sensitive user data that could be abused by the attacker beyond what people share publicly with the app through their public profile or in their personal settings. Le Pochat explains in an interview with Dark Reading that the researchers based their definition of sensitive data on the Europe Unions
General Data Protection Regulation (GDPR)
, which puts data such as ethnic origin, political opinions, sexual orientation and/or gender, and health information into this category.
Our main objective was that we specifically wanted to see what risks there are [in terms of] data sharing with other uses, he says. If Im maliciously on the app, what can I learn about the users around me?
The apps analyzed include some that are popular globally, such as
Tinder
, Bumble, Grindr, Badoo, OKCupid, MeetMe, and Hinge, as well as apps that are popular in certain regions, such as Asias TanTan and Europes Meetic.
Le Pochat stressed the ease with which someone could access user data from the apps. To be clear, we did not hack the server in any way, he explains. If I am using the app, maybe with some additional technical proficiency … and looking at the traffic thats coming in and going out, that already leaks this information.
Moreover, in the case of six of the apps (including three that are well known and widely used: Bumble, Gindr, and Hinge), a malicious actor could pinpoint the exact physical location of someone using the app through interacting with the app and understanding how distances were being calculated, Le Pochat says.
The researchers plan to
unveil the findings of a paper
on their research, called Swipe Left for Identity Theft: An Analysis of User Data Privacy Risks on Location-based Dating Apps, in a session of the same name at the upcoming Black Hat USA 2024 conference in Las Vegas.
Dhondt and Le Pochat have previously collaborated to conduct similar research
identifying how fitness apps
such as Strava leak sensitive location information of users, even when theyve used in-app features to specifically set up privacy zones to hide their activity within specified areas. That work was presented at Black Hat Asia in 2023.
The examination of dating apps stemmed from Dhondts PhD research, which focused on location privacy, specifically if I can extract location data from other users on these service, he tells Dark Reading. The two researchers then extended their research into seeing what other type of data they could access.
To exploit apps to pinpoint a users exact location, an actor can use a method called trilateration that is similar to how GPS satellites track location. Location-based dating apps rely on the general area of where someone currently is to deliver potential matches of other people nearby.
Using trilateration, the researchers found that they could take the known distance from their location to the victim and construct a series of circles with intersection points that lead to a precise location of the app user with varying accuracy.
Grindr, for instance, delivered whats called exact distance trilateration, which is accurate to the meter even for users who have hidden distance information within their profiles. This can be dangerous for users of the app, which is used predominantly by members of the LGBTQ community, especially in countries where homosexual activity is illegal, such as Egypt, the researchers noted.
Dhondt and Le Pot also could pinpoint rounded distance trilateration in apps that used rounded distances rather than exact distances for their users locations, as well as oracle trilateration, which uses an oracle that indicates through a binary signal whether a victim is located within a defined “proximity distance” from a would-be threat actor. The apps Badoo, Bumble, Hinge, and Hily in particular were susceptible to the latter.
Determining the exact location of someone on a dating app without their knowledge clearly can pose a physical threat to them due to the intimate nature of interactions that occur in these scenarios, the researchers noted.
Given that its related to dating, which really gets to peoples emotions and feelings, any privacy leaks or dangers are really exacerbated, Dhondt says. If people are hurt, they may want to hurt back. Thats why its important that peoples privacy and safety is well-maintained by these apps.
In terms of how much personal data is being shared via the various dating apps, some of the apps request and share more personal data than others. Researchers took a look under the hood of the apps to examine API traffic thats automatically sent to a persons device and can easily be inspected by a malicious actor. They found that all 15 of the apps have some form of
leak in their API
.
In most cases, the server is just pushing more data than necessary to the application interface, Le Pochat says. Maybe in the app it only shows a persons age, but the API is showing the persons exact birthday.
Some of this data could be deemed sensitive and could expose private info that a person deliberately omitted from their dating profile. For example, in Tinder, people can set their gender to be hidden. However, even if you had set a custom non-binary gender, this also was sent in the background traffic and could be read by anyone even if it was not shown in the app, Le Pochat says.
The researchers contacted all of the companies with vulnerable apps, and all of the location leaks in the apps that allowed for trilateration have since been fixed, they said. However, some of the apps are still leaking data because some of the companies, while acknowledging the leak, claimed it was intended behavior of the apps, the researchers note.
What this amounts to is that while millions of people all over the world share very personal information with strangers via dating apps, maybe in some cases, they shouldnt, because it may not be totally secure, Dhondt notes. He urged people to be very conscious about what info you share.
We see apps nudge people to share a lot of information to get more matches, he says. Maybe they should not. What [data the apps] dont have, they cant leak.
Tags:
Swipe Right for Data Leaks: Dating Apps Expose Location, More