A group of researchers said they found that design vulnerabilities in several dating apps, including the popular Bumble and Hinge, could allow malicious users or stalkers to pinpoint a victim's location to within two metres.
In a new academic paper, researchers from the Catholic University of Leuven in Belgium detailed their analysis of 15 popular dating apps, of which Badoo, Bumble, Grindr, happn, Hinge and Hily all had the same vulnerability that could potentially help malicious users pinpoint other users' near-exact locations, the researchers said.
While both apps don't reveal precise location information when displaying the distance between users on their profiles, they do use precise location information in the app's “filters” feature. In general, filters allow users to customize their partner search based on criteria such as age, height, the type of relationship they're looking for, and most importantly, distance.
To pinpoint the target user's exact location, the researchers used a new technique they call “oracle trilateration.” Trilateration, commonly used in GPS and similar systems, works by using three points to measure their distance to a target. This creates three circles that intersect at the point where the target is located.
Oracle trilateration works a little differently. In their paper, the researchers write that someone wanting to locate a target should first “roughly estimate the victim's location” based, for example, on the location displayed in the target's profile. Then, the attacker “moves slightly in three different directions until the oracle indicates that the victim is not in close proximity. The attacker then knows three locations with known precise distances, i.e., pre-selected close distances, and can trilaterate the victim,” the researchers write.
“We were a bit surprised to see that known issues still exist in these popular apps,” one of the researchers, Karel D'Hondt, told TechCrunch. While the technology doesn't reveal a victim's exact GPS coordinates, “we think two meters is enough to identify the user,” D'Hondt said.
Fortunately, all of the affected apps the researchers contacted have changed the way their distance filters work, making them less susceptible to the oracle trilateration technique. The fix, according to the researchers, was to round up exact coordinates to three decimal places, reducing their precision and accuracy.
“That's an uncertainty of about a kilometre,” D'Hondt said.
A Bumble spokesperson said the company “became aware of these findings in early 2023 and promptly addressed the issues outlined.”
In a statement to TechCrunch, Hily CTO and co-founder Dmytro Kononov said the company received reports of the vulnerabilities in May of last year and conducted an investigation to evaluate the researchers' claims.
“The findings of the study hinted at the potential for trilateration. However, in practice, it was impossible to exploit this in an attack. This is due to our internal mechanisms designed to protect against spammers, and the logic of our search algorithms,” Kononov said. “Nevertheless, we held extensive consultations with the report's authors and jointly developed new geocoding algorithms to completely eliminate this type of attack. These new algorithms have been successfully implemented for over a year now.”
Neither Badoo, which is owned by Bumble, nor Hinge responded to requests for comment.
In an emailed statement to TechCrunch, Karima Ben Abdelmalek, CEO and president of Happn, said the company was contacted by the researchers last year.
“After our Chief Security Officer reviewed the findings, we had a chance to discuss the trilateration methodology with the researchers. However, happn has an additional layer of protection that goes beyond rounding the distance,” Ben Abdelmalek said. “This additional protection was not taken into account in their analysis, and we mutually agreed that this additional measure by happn renders the trilateration technique ineffective.”
The researchers also found that malicious actors could pinpoint the location of users of another popular dating app, Grindr, up to about 111 meters away from their exact coordinates — better than the two meters other apps allow, but still potentially dangerous, the researchers said.
“We argue that the distance corresponding to this accuracy, 111 metres, is insufficient in sparsely populated areas,” D'Hondt said.
Grindr rounds down a user's exact location to three decimal places, so it can't go any lower than 111 meters. The researchers said that when they contacted Grindr, the company said this was a feature, not a bug.
“For many users, Grindr is their only connection to the LGBTQ+ community, and the proximity Grindr provides to this community is paramount in giving them the ability to interact with the people closest to them,” Grindr's chief privacy officer Kelly Peterson Miranda said in a statement.
“Like many location-based social networks and dating apps, Grindr requires specific location information to connect users with people nearby,” Miranda said, adding that users can disable distance display if they wish. “Grindr users have control over the location information they provide.”