Flaw in Bumble and Hinge Offers Potential Stalkers Almost-Exact User Pinpoint

• Vulnerabilities in several dating apps allow users to learn the location of other users with down to 2 meters of accuracy.
• Some of these apps showed leaks in API traffic that exposed private user data.
• A user with malicious intent could exploit these to monitor unsuspecting users.

Several dating apps let their users pinpoint other users' locations down to 2 meters, according to a new academic paper signed by researchers from the Belgian university KU Leuven. These popular apps do not share exact locations on user profiles, but malicious users could exploit this feature via a form of trilateration. 

The paper analyzed 15 popular location-based dating (LBD) apps, finding a vulnerability that could help a malicious user learn another user’s near-exact location in Badoo, Bumble, Grindr, Happn, Hinge, and Hily. A potential stalker does not need to be physically near the target, as one can spoof the location data sent to a service.

Grindr is susceptible to exact distance trilateration, accurate to at least 111 m by 111 m square, and Happn shows a rounded distance in the UI but leaks a higher-precision distance in their API.

Badoo, Bumble, Hinge, and Hily are all susceptible to oracle trilateration, a technique using a binary signal whether a victim is within proximity of three locations, for which an attacker could use the apps’ distance filters, which use exact distances.

Distances are hidden in the UI for Hinge and Hily, but they are also impacted by the trilateration vulnerability. However, Tinder and LOVOO deter trilateration via grid snapping.

The authors of the paper also discovered several APIs that leak personal data, which is sometimes explicitly hidden, to an attacker who can inspect or even modify traffic.

An adversary that can intercept a victim’s network traffic can also gather sensitive data sent and received by LBD apps, which may also share personal data with third parties, as was shown on Tinder, Grindr, Jappn, Bumble, and OkCupid. Social engineering through conversations can also be used to elicit personal data from LBD app users.

Of the ones analyzed, some apps offer a specific API endpoint that also enables continuous profile access. Twelve apps leak through API traffic whether another user has liked the user, seven apps leak the recent activity time, four apps leak the account creation time, and four apps leak gender and age filters.

Badoo and Bumble are vulnerable to an exfiltration leak where the ‘projections’ field in an API request can be altered to force the fetching of additional data fields, exposing users’ activity status and time.

Some of these apps’ API responses contain the timestamp of the Likes, how long the other user looked at a profile, whether another user disliked the user, another user’s popularity score, and other private information.

Several dating apps let users pause profile visibility to others, but they still fetch profiles in background API traffic, so a malicious user could still access them.