Belgian researchers from KU Leuven have discovered significant security vulnerabilities in six popular dating apps—Bumble, Hinge, Grindr, Badoo, Happn, and Hily—that could allow malicious users to pinpoint a user’s location with high precision.
The study, which analyzed 15 dating apps, identified that these apps could be exploited to determine users’ exact locations, down to within 2 meters in some cases.
How Does Trilateration Pose a Risk in Dating Apps?
The core issue revolves around a technique called “oracle trilateration,” which the researchers used to identify these vulnerabilities.
Trilateration is a common method used in GPS technology to locate a position by measuring the distance from three known points. Typically, it involves creating three intersecting circles, where the intersection point indicates the exact location of the target.
In the context of these dating apps, oracle trilateration works slightly differently.
- Estimating Location: Malicious users can estimate a victim’s approximate location using the information displayed in their profile, such as distance from the user.
- Incremental Movement: The attacker then moves in small increments, detecting when the victim’s presence is no longer within proximity from three different directions.
- Triangulation: By repeating this process from three different directions, the attacker can triangulate the victim’s exact location.
Karel Dhondt, one of the researchers, expressed surprise that these vulnerabilities still exist in such widely used apps. Dhondt explained that while oracle trilateration does not provide exact GPS coordinates, the precision of 2 meters is close enough to pose a serious risk to users’ privacy and safety.
How Are Dating Apps Addressing These Security Issues?
In response to the findings, the affected apps have implemented changes to mitigate these risks. One common fix has been to round up the exact coordinates by three decimal places, introducing an uncertainty of approximately one kilometer, which significantly reduces the accuracy of location data.
Bumble’s vice president of global communications, Gabrielle Ferree, stated that the company was made aware of these findings in early 2023 and promptly resolved the issues.
Dmytro Kononov, CTO and co-founder of Hily, acknowledged receiving the researchers’ report in May 2023. He confirmed that an internal investigation found a potential for trilateration, but emphasized that exploiting this vulnerability was practically impossible due to the app’s internal protective mechanisms and search algorithm logic. Kononov also noted that Hily worked with the researchers to develop new geocoding algorithms, which have been in place for over a year, to completely eliminate this type of attack.
Happn CEO and president Karima Ben Abdelmalek stated that the company had discussed the trilateration method with the researchers last year. Ben Abdelmalek noted that Happn has an additional layer of protection beyond just rounding distances, which was not considered in the researchers’ analysis, rendering the trilateration technique ineffective on their platform.
The study also highlighted concerns with Grindr, where users could be located within approximately 111 meters of their actual coordinates. While this is less precise than the 2-meter accuracy seen with other apps, Dhondt stressed that it still poses a potential risk, especially in densely populated areas. Grindr rounds users’ precise locations by three decimal places, and when contacted, the company stated that this was a deliberate feature, not a flaw.
Kelly Peterson Miranda, Grindr’s chief privacy officer, emphasized that many users rely on Grindr as their primary means of connecting with the LGBTQ+ community. She noted that while location information is essential for facilitating these connections, users can choose to disable the distance display feature if they wish to protect their privacy further.
Featured Image courtesy of dpa/picture alliance via Getty Images
Follow us for more tech security news.