SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
21 Jan 2015

Dating app makes it easy to stalk

Mobile dating apps have revolutionized the pursuit of love and sex by allowing people not only to find like-minded mates but to identify those who are literally right next door, or even in the same bar, at any given time.

Location sharing allows user whearabouts to be tracked around the clock. That convenience is a double-edge sword, warn researchers.

To prove their point, they exploited weaknesses in Grindr, a dating app with more than five million monthly users, to identify users and construct detailed histories of their movements. The proof-of-concept attack worked because of weaknesses identified five months ago by an anonymous post on Pastebin. Even after researchers from security firm Synack independently confirmed the privacy threat, Grindr officials have allowed it to remain for users in all but a handful of countries where being gay is illegal.

As a result, geographic locations of Grindr users in the US and most other places can be tracked down to the very park bench where they happen to be having lunch or bar where they're drinking and monitored almost continuously, according to research scheduled to be presented at the Shmoocon security conference in Washington.

Grindr officials declined to comment for this post beyond what they said in posts here and here published more than four months ago. As noted, Grindr developers modified the app to disable location tracking in Russia, Egypt, Saudi Arabia, Nigeria, Liberia, Sudan, Zimbabwe, and any other place with anti-gay laws. Grindr also locked down the app so that location information is available only to people who have set up an account. The changes did nothing to prevent the Synack researchers from setting up a free account and tracking the detailed movements of several fellow users who volunteered to participate in the experiment.

Pinpointing users’ precise locations

The proof-of-concept attack works by abusing a location-sharing function that Grindr officials say is a core offering of the app. The feature allows a user to know when other users are close by. The programming interface that makes the information available can be hacked by sending Grinder rapid queries that falsely supply different locations of the requesting user. By using three separate fictitious locations, an attacker can map the other users' precise location using the mathematical process known as trilateration.

Synack researcher Colby Moore said his firm alerted Grindr developers of the threat last March. Aside from turning off location sharing in countries that host anti-gay laws and making location data available only to authenticated Grindr users, the weakness remains a threat to any user that leaves location sharing on. Grindr introduced those limited changes following a report that Egyptian police used Grindr to track down and prosecute gay people. Moore said there are several things Grindr developers could do to better fix the weakness.

"The biggest thing is don't allow vast distance changes repeatedly," he told Ars. "If I say I'm five miles here, five miles there within a matter of 10 seconds, you know something is false. There are a lot of things you can do that are easy on the backside." He said Grinder could also do things to make the location data slightly less granular. "You just introduce some rounding error into a lot of these things. A user will report their coordinates, and on the backend side Grindr can introduce a slight falsehood into the reading."

The exploit allowed Moore to compile a detailed dossier on volunteer users by tracking where they went to work in the morning, the gyms where they exercised, where they slept at night, and other places they frequented. Using this data and cross referencing it with public records and data contained in Grindr profiles and other social networking sites, it would be possible to uncover the identities of these people.

"Using the framework we developed, we were able to correlate identities very easily," Moore said. "Most users on the application share lots and lots of additional personal details such as race, height, weight, and a photo. Many users also linked to social media accounts within their profiles. The concrete example would be that we were able to replicate this attack multiple times on willing participants without fail."

Moore was also able to abuse the feature to compile one-time snapshots of 15,000 or so users located in the San Francisco Bay area, and, before location sharing was disabled in Russia, Gridr users visiting the Sochi Olympics. Moore said he focused on Grindr because it caters to a group that is often targeted. He said he has observed the same sort of threat stemming from non-Grindr mobile social networking apps as well. "It's not just Grindr that's doing this," he said. "I've looked at five or so dating apps and all are vulnerable to similar vulnerabilities." Also, you should know that WhatsApp flaw leaves user location vulnerable to hackers and spy agencies.

Tags:
information leaks hackers
Source:
Ars Technica
2318
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015