First brought to our attention by researchers at Include Security, the vulnerability allows anyone with a basic understanding of the API that Tinder is based on.
By querying the service, random hackers could easily discover the coordinates of any user of their choosing, by relying on an old technique known as “trilateration”. Trilateration occurs when an attackers uses cell phone towers contained within a certain area to pinpoint a phone or data-connected device, and run the longitude and latitude to create a picture of their exact GPS coordinates.
Include first brought the issue to Tinder’s attention on October 23rd of last year, and received a curt-yet-ambiguous reply of “Thank you” shortly after from the CEO of the company.
Erik Cabetas, Managing Partner and Founder of Include Security was quoted in response to the story:
“Due to Tinder’s architecture, it is not possible for one Tinder user to know if another took advantage of this vulnerability during the time of exposure. The repercussions of a vulnerability of this type were pervasive given Tinder’s massive global base of users. Once our research team discovered it, we reported the vulnerability directly to Tinder and followed up multiple times between October and December 2013 to ensure they were addressing the problem.”
One might assume the news isn’t exactly surprising, considering you can’t even use Tinder unless the location settings on your phone are turned on. The app is literally designed to find people within a 10 mile radius of your exact point on the map.
A fix was implemented by Tinder somewhere in late December or early January, although no one is sure how much data was left out for the world to see while the vulnerability went unchecked for nearly all of 2013.