Swipe Right for Data Leaks: Dating Apps Expose Location, More
Apps like Tinder, Bumble, Grindr, Badoo, OKCupid, MeetMe, and Hinge all have API vulnerabilities that expose sensitive user data, and six allow a threat actor to pinpoint exactly where someone is.
July 22, 2024
Using dating apps to find love can already be a daunting process. Now, security researchers in Belgium have found that dozens of these apps may threaten users' privacy too, by leaking their sensitive data and, worryingly, even their exact location.
Karel Dhondt and Victor Le Pochat, both researchers at Belgian university KU Leuven, analyzed 15 location-based dating apps to see what type of user data a malicious actor might extract from them.
It turns out that all 15 of the apps leaked some type of sensitive user data "that could be abused by the attacker" beyond what people share publicly with the app through their public profile or in their personal settings. Le Pochat explains in an interview with Dark Reading that the researchers based their definition of "sensitive" data on the Europe Union's General Data Protection Regulation (GDPR), which puts data such as ethnic origin, political opinions, sexual orientation and/or gender, and health information into this category.
"Our main objective was that we specifically wanted to see what risks there are [in terms of] data sharing with other uses," he says. "If I'm maliciously on the app, what can I learn about the users around me?"
The apps analyzed include some that are popular globally, such as Tinder, Bumble, Grindr, Badoo, OKCupid, MeetMe, and Hinge, as well as apps that are popular in certain regions, such as Asia's TanTan and Europe's Meetic.
Sensitive Data and Location Exposed
Le Pochat stressed the ease with which someone could access user data from the apps. "To be clear, we did not hack the server in any way," he explains. "If I am using the app, maybe with some additional technical proficiency … and looking at the traffic that's coming in and going out, that already leaks this information."
Moreover, in the case of six of the apps (including three that are well known and widely used: Bumble, Gindr, and Hinge), a malicious actor could pinpoint the exact physical location of someone using the app "through interacting with the app and understanding how distances were being calculated," Le Pochat says.
The researchers plan to unveil the findings of a paper on their research, called "Swipe Left for Identity Theft: An Analysis of User Data Privacy Risks on Location-based Dating Apps," in a session of the same name at the upcoming Black Hat USA 2024 conference in Las Vegas.
Dhondt and Le Pochat have previously collaborated to conduct similar research identifying how fitness apps such as Strava leak sensitive location information of users, even when they've used in-app features to specifically set up privacy zones to hide their activity within specified areas. That work was presented at Black Hat Asia in 2023.
The examination of dating apps stemmed from Dhondt's PhD research, which focused on location privacy, specifically "if I can extract location data from other users on these service," he tells Dark Reading. The two researchers then extended their research into seeing what other type of data they could access.
GPS Method Pinpoints Location
To exploit apps to pinpoint a user's exact location, an actor can use a method called trilateration that is similar to how GPS satellites track location. Location-based dating apps rely on the general area of where someone currently is to deliver potential matches of other people nearby.
Using trilateration, the researchers found that they could take the known distance from their location to the victim and construct a series of circles with intersection points that lead to a precise location of the app user with varying accuracy.
Grindr, for instance, delivered what's called "exact distance trilateration," which is accurate to the meter even for users who have hidden distance information within their profiles. This can be dangerous for users of the app, which is used predominantly by members of the LGBTQ community, especially in countries where homosexual activity is illegal, such as Egypt, the researchers noted.
Dhondt and Le Pot also could pinpoint "rounded distance trilateration" in apps that used rounded distances rather than exact distances for their users locations, as well as "oracle trilateration," which uses an oracle that indicates through a binary signal whether a victim is located within a defined “proximity distance” from a would-be threat actor. The apps Badoo, Bumble, Hinge, and Hily in particular were susceptible to the latter.
Determining the exact location of someone on a dating app without their knowledge clearly can pose a physical threat to them due to the intimate nature of interactions that occur in these scenarios, the researchers noted.
"Given that it's related to dating, which really gets to people's emotions and feelings, any privacy leaks or dangers are really exacerbated," Dhondt says. "If people are hurt, they may want to hurt back. That's why it's important that people's privacy and safety is well-maintained by these apps."
Traffic Reveals Data
In terms of how much personal data is being shared via the various dating apps, some of the apps request and share more personal data than others. Researchers took a look under the hood of the apps to examine API traffic that's automatically sent to a person's device and can easily be inspected by a malicious actor. They found that all 15 of the apps have some form of leak in their API.
"In most cases, the server is just pushing more data than necessary to the application interface," Le Pochat says. "Maybe in the app it only shows a person's age, but the API is showing the person's exact birthday."
Some of this data could be deemed sensitive and could expose private info that a person deliberately omitted from their dating profile. For example, in Tinder, people can set their gender to be hidden. However, "even if you had set a custom non-binary gender, this also was sent in the background traffic and could be read by anyone even if it was not shown in the app," Le Pochat says.
Vulnerabilities Fixed, Mostly
The researchers contacted all of the companies with vulnerable apps, and all of the location leaks in the apps that allowed for trilateration have since been fixed, they said. However, some of the apps are still leaking data because some of the companies, while acknowledging the leak, claimed it was "intended behavior" of the apps, the researchers note.
What this amounts to is that while millions of people all over the world share very personal information with strangers via dating apps, maybe in some cases, they shouldn't, because it may not be totally secure, Dhondt notes. He urged people to "be very conscious about what info you share."
"We see apps nudge people to share a lot of information to get more matches," he says. "Maybe they should not. What [data the apps] don't have, they can't leak."
Read more about:
Black Hat NewsAbout the Author
You May Also Like