Tinder app has been secretly showing user’s exact locations for months (updated)

20 Feb 2014

Using triangulation, a person's whereabouts could be pin-pointed

Tinder, the dating app used by millions across the world, has been found to contain a massive security flaw that has been showing a user’s exact location for a number of months.

Despite the app working off the basis of a user’s location relative to a person they would match with through the app, it was understood there was an element of precaution whereby it would only round to the nearest mile, thereby making sure that a user’s exact location at any time could not be calculated.

Now however, online US security firm Include Security has found this is not the case and any user’s whereabouts up to 30m could be figured out by any basic-level hacker.

Include Security helps companies by attempting to find faults in their coding and report them, a model known as ‘white hat hacking’.

However, the company’s policy puts pressure on these companies to fix the problem as soon as possible, as they promise to release online how they bypassed an app’s security after three months if it isn’t fixed.

To show how easy it works, the Include Security team built a web app which would make it as simple as typing a location or name into a search bar and a user’s exact locations would pop up in Google Maps using a triangulation system, which is one of the easiest ways of pinpointing a person’s location.

Tinder’s CEO Sean Rad has since issued a statement saying they have addressed some of the security issues by adding specific measures to enhance location security and further obscure location data.

This is not the first time Tinder’s use of a person’s location has been brought into question as a flaw late last year that could allow you to get exact latitude and longitude co-ordinates for any Tinder user.

Updated 21/2/14 to indicate that Tinder’s security flaw last year was not found by Include Security but by another group.

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com