A team of scientists has identified security flaws in several well-known dating applications, such as Bumble and Hinge, that potentially allow nefarious individuals or persistently intrusive figures to ascertain the whereabouts of other users with an accuracy of up to 2 meters.
Through a recently published scholarly article, experts from KU Leuven, a prestigious Belgian institution, shared their investigation results on 15 widely used dating platforms. Their research revealed that Badoo, Bumble, Grindr, happn, Hinge, and Hily were all susceptible to a glitch that could let an attacker determine a user’s almost exact position, the team indicated.
Although these applications do not disclose precise locations when showing how far away users are from each other on their profiles, they do require precise location data for their “filters” feature. Essentially, these filters allow users to refine their search for potential matches using criteria such as age, height, desired type of relationship, and notably, proximity.
The academics employed an innovative approach named “oracle trilateration” to zero in on a user’s exact position. Traditionally, trilateration is a technique used by GPS systems that involves three points and the measurements of their distances from a target location, resulting in three circles that intersect at the target’s location.
Oracle trilateration modifies this method slightly. According to their study, the attacker first approximates the victim’s location, often using the information given on the victim’s profile. Then, by moving in small steps and checking each time if the victim is within a certain range from three different directions, the attacker can establish three specific points of known distance to the victim and thus triangulate their position, the team described.
“The fact that these apps still contained recognizable vulnerabilities was quite unexpected,” stated Karel Dhondt, a researcher from the study, talking to TechCrunch. Even though this technique doesn’t expose the victim’s exact GPS coordinates, “being within 2 meters is sufficiently precise to locate the user,” Dhondt remarked.
Fortunately, all of the platforms that were notified about these flaws have since modified how their distance filters function, rendering them secure against the oracle trilateration technique. The solution, as outlined by the researchers, involved adjusting the exact coordinates to be less detailed by rounding them to three decimal places.
“This change introduces an element of uncertainty of around one kilometer,” Dhondt explained.
A representative from Bumble responded that the company was alerted to these discoveries early in 2023 and promptly addressed the highlighted issues.
Dmytro Kononov, CTO and co-founder of Hily, conveyed to TechCrunch that upon receiving the report of this vulnerability in May of the previous year, the company conducted a thorough investigation. He noted that while the findings suggested a theoretical risk of trilateration, practical exploitation was deemed impractical due to Hily’s internal protective mechanisms and search logic. He added, “Nonetheless, we collaborated closely with the report’s authors, devising new geolocation algorithms that effectively prevent such attacks. These improved algorithms have been in place for over a year now.
As of this writing, neither Badoo (a subsidiary of Bumble) nor Hinge had offered comments regarding the matter.
Karima Ben Abdelmalek, CEO and President of Happn, shared with TechCrunch that upon being approached by the investigators last year, Happn’s Chief Security Officer reviewed the findings. She stated, “After discussing the trilateration method with the researchers, we confirmed that Happn incorporates an additional level of security beyond mere distance rounding. This extra security measure was not considered in their initial assessment, and after further discussion, it was agreed that our added precaution indeed renders the trilateration method ineffective on Happn.”
Moreover, the research also highlighted that Grindr users could be located within approximately 111 meters of their precise positions. Though significantly broader than the 2-meter range of the other apps, this could still pose a risk, especially in less populated areas, the study suggested.
Grindr has implemented a policy of rounding user locations to the nearest 111 meters as a design choice rather than a flaw, the investigators discovered upon reaching out to Grindr. In response, Grindr’s Chief Privacy Officer, Kelly Peterson Miranda, emphasized that for many in the LGBTQ+ community, Grindr serves as a vital link, and proximity is key for users wishing to connect. “Like many geo-social networks and dating apps, Grindr needs some location data to function effectively, but it is up to our users to decide how much they wish to share,” Miranda added.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
