top of page
Sachi Wani

Bumble, Hinge gave users' locations up to 2 metres, research paper reveals



Researchers have found that dating apps like Bumble and Hinge allowed stalkers to pinpoint the location of their victims down to 2 metres.

 

Researchers from the Belgian university KU Leuven in a paper analysed 15 popular dating apps and found that Badoo, Bumble, Grindr, happn, Hinge, and Hily all had the same vulnerability that could have allowed a malicious user to identify the near-exact location of another user.

 

The apps did not provide the exact location of the users, however, they gave exact locations for the "filters" feature of the apps. The filters feature allows users to sort their options according to age, height, type of relationship they are looking for, and, crucially, distance.

 

Researchers used a technique called "oracle trilateration" to locate the target users. Trilateration is used in GPS works by using three points and measuring their distance relative to the target. This creates three circles that intersect at the point where the target is located.

 

In case of Oracle trilateration, the person who wants to locate their target first "roughly estimates the victim’s location," which could be based on the location displayed in the target's profile, they said.

 

"The attacker then moves in increments “until the oracle indicates that the victim is no longer within proximity, and this for three different directions. The attacker now has three positions with a known exact distance, i.e., the preselected proximity distance, and can trilaterate the victim," the researchers wrote.

 

The researchers mailed their findings to all 15 apps, of which 10 responded immediately, and two more after a gap of five months.

 

"Of these 12 apps, 9 engaged in substantial and productive discussions regarding our discovered leaks, and indicated that they had deployed concrete fixes," they wrote.

 

Karel Dhondt, one of the researchers, told TechCrunch, "It was somewhat surprising that known issues were still present in these popular apps."


While this technique doesn’t reveal the exact GPS coordinates of the victim, "I’d say 2 meters is close enough to pinpoint the user," Dhondt said.

  

Bumble’s vice president of global communications Gabrielle Ferree said "The company was made aware of these findings in early 2023 and swiftly resolved the issues outlined."

 

Dmytro Kononov, CTO and co-founder of Hily, told TechCrunch "The findings indicated a potential possibility for trilateration. However, in practice, exploiting this for attacks was impossible. This is due to our internal mechanisms designed to protect against spammers and the logic of our search algorithm."

 

"Despite this, we engaged in extensive consultations with the authors of the report and collaboratively developed new geocoding algorithms to completely eliminate this type of attack.

 

"These new algorithms have been successfully implemented for over a year now," he added.

 

Kelly Peterson Miranda, chief privacy officer at Grindr, in a statement said, "As is the case with many location-based social networks and dating apps, Grindr requires certain location information in order to connect its users with those nearby."


She added, "Grindr users are in control of what location information they provide."


Image Source: AI generated

 

Comments


bottom of page