Hinge & Bumble loophole exposed the exact location of users

❘ Published: 2024-08-01T11:15:34

Swiping right to find a date is not as safe as first thought and could reveal your location details to stalkers.

Researchers have found severe vulnerabilities in the mobile apps of leading dating apps. Popular choices like Bumble could compromise privacy.

This is according to a group of researchers from the Belgian university KU Leuven. The security loopholes in these applications revealed the location, accurately up to 2 meters (6 and 1/2 feet).

Researchers tested the 15 most popular dating apps in the study. They said that platforms like Badoo, Bumble, Grindr, happn, Hinge, and Hily allowed attackers to exploit distance filters. These bad actors would then use a technique called Oracle Trilateration to determine precise coordinates.

Oracle Trileration is a process where the person trying to find someone first guesses where they might be. Then, they move around in three directions until the app says the target is out of range. This gives them three points to work from. With these three points, they can almost precisely figure out where the target is.

Typically, filters like age, height, relationship type, and others help determine a perfect match. However, the distance filter could expose the user’s location when used in conjunction with Oracle Trileration.

That said, most platforms have addressed the issues and made the coordinates less precise. The effort should make it difficult to track users beyond one kilometer.

Dmytro Kononov, CTO and co-founder of Hily told TechCrunch that they came to know about the vulnerability in May 2023 and investigated the claims internally.

He said, “The findings indicated a potential possibility for trilateration. However, in practice, exploiting this for attacks was impossible. This is due to our internal mechanisms designed to protect against spammers and the logic of our search algorithm,” Kononov said.

“Despite this, we engaged in extensive consultations with the authors of the report and collaboratively developed new geocoding algorithms to completely eliminate this type of attack. These new algorithms have been successfully implemented for over a year now,” he added.

However, Grindr still allows location tracking within 111 meters. It says that connecting nearby users is an intentional feature, not a bug; thus, it cannot be removed.