"Towards the end of 2013 we found a vulnerability that lets you get exact latitude and longitude co-ordinates for any Tinder user," Max Veytsman wrote on Include Security's blog.
A popular dating app, Tinder connects to Facebook profiles and offers matches based on proximity. The only details users see are a few photos, mutual friends, mutual interests, and an optional one-line bio. Users swipe left to say "no" and swipe right to say "yes" to a match. If both people say they're interested, an alert pops up, and they have the option to send a message.
Users are supposed to see how many miles away another user is located -- but not that person's precise address.
This is the second security breach detected in the app. In 2013, Veytsman explained, "anyone with rudimentary programming skills could query the Tinder API directly and pull down the co-ordinates of any user."
That issue was fixed, but in the process the company inadvertently opened another security loophole.
"Tinder is no longer returning exact GPS co-ordinates for its users, but it is leaking some location information that an attack can exploit. The distance_mi field is a 64-bit double. That's a lot of precision that we're getting, and it's enough to do really accurate triangulation!" he wrote.
With three or more distance points, you can determine a person's coordinates:
"When I know the city my target lives in, I create 3 fake accounts on Tinder. I then tell the Tinder API that I am at three locations around where I guess my target is. Then I can plug the distances into the formula on this Wikipedia page.
To further illustrate his point, Veytsman created a private webapp called "TinderFinder." He said he only tested the app on accounts that he controls, and the company kept the app internal because it did not want to jeopardize any users' safety.
He walked readers through the process, and created a video demonstration.
Include Security first notified Tinder of the vulnerability via an email to customer service on Oct. 23, 2013, and reached out to the CEO the following day. They say they immediately received a "thank you" and nothing further. When they did not hear back, they checked in again on Nov. 8 and Dec. 2, when their message was forwarded to a tech team.
When Include Security ran the tests again on Jan. 1, 2014, the vulnerability appeared to be fixed. They've inquired about fix details, but none have been provided.
"As the issue does not seem to be reproducible and we have no updates from the vendor," he concluded, the fix appears to have worked.