Thursday, July 19, 2018

How Tinder Keeps Your Exact Location (a Bit) Private

Robert Heaton (via Tanner Bennett):

In 2013, it was discovered that the Tinder servers sent potential matches’ exact co-ordinates to the Tinder phone app. The app internally used these co-ordinates to calculate distances between users, and did not display them in the interface. However, an attacker could easily intercept their own Tinder network traffic, inspect the raw data, and reveal a target’s exact location. When the issue was discovered, Tinder denied the possibility that it was either avoidable or bad.


Tinder attempted to quietly fix this vulnerability by calculating distances on their servers instead of in their app. Now the network messages sent from server to app contained only these pre-calculated distances, with no actual locations. However, Tinder carelessly sent these distances as exact, unrounded numbers with a robust 15 decimal places of precision.


This new oversight allowed sneaky researchers to once again pinpoint a target’s exact location using a different, trilateration exploit. The researchers sent 3 spoofed location updates to Tinder to jump themselves around the city. At each new location they asked Tinder how far away their target was.

Tinder fixed this problem by rounding the distances. Straightforward rounding would also allow the location to be triangulated, but it turns out that they do something more clever.

Comments RSS · Twitter

Leave a Comment