Skip to main content

Tinder security flaw exposes users' locations

A vulnerability in the popular "dating" app Tinder exposed users' exact coordinates, according to security experts.

The folks at Include Security found the flaw late last year, not long after the discovery of another Tinder vulnerability that let someone with even the most novice programming skills find the latitude and longitude of any user.

According to IncludeSec's Max Veytsman, fixing the first problem created a new one, though a portion of that has since been resolved.

"Tinder is no longer returning exact GPS co-ordinates for its users," Veytsman wrote in a blog post. "But it is leaking some location information that an attack can exploit."

To test his theories, Veytsman built a private Web app called Tinder Finder, which requires the user ID of a target, and a specific city, like New York, Chicago, or Toronto, which the analyst used. He demonstrated the glitch in a video.

"Tinder has fixed this, and they've followed our recommendations for how to mitigate it. And this is no longer possible to do," Veytsman said in the video.

Tinder co-founder and CEO Sean Rad admitted in a statement that the technical exploit "theoretically" could have led to someone calculating a user's last-known location. But the company quickly implemented specific measures to enhance location security, he said, and further obscure location data.

"We are not aware of anyone else attempting to use this technique," Rad said. "Our users' privacy and security continue to be our highest priority."

This flaw is not Tinder-specific. According to Veytsman's FAQ section, location information handling has been a common source of vulnerabilities among various applications.

IncludeSec first notified Tinder of the issue in late October, and reported the problem fixed by Jan. 1.