Belgian researchers found a huge privacy hole in six dating apps
Some of the apps have taken steps to close “trilateration” efforts that could violate users’ privacy.
TechCrunch reported that a group of researchers from the university KU Leuven in Belgium identified six popular dating apps that malicious users can use to pinpoint the near-exact location of other users. Dating apps including Hinge, Happn, Bumble, Grindr, Badoo and Hily all exhibited some form of “trilateration” that could expose users’ approximate locations, which prompted some of the apps to take action and tighten their security, according to the published paper.
The term “trilateration” refers to a three-point measurement used in GPS to determine the relative distance to a target. The six named apps fell into one of three categories of trilateration” including “exact distance trilateration” in which a target is accurate to “at least a 111m by 111m square (at the equator),” “round distance trilateration” or “oracle trilateration” in which distance filters are used to approximate a rounded area much like a Venn diagram.
Grindr is “susceptible to exact distance trilateration” while Happn falls under “rounded distance trilateration.” The remaining four fall under “oracle trilateration” despite the fact that Hinge and Hily hide the distances of its users, according to the paper.
Karel Dhondt, one of the researchers involved in the study, told TechCrunch that a user with malicious intent could locate another user up to “2 meters” away using oracle trilateration. This method involves the malicious user going to a rough estimate of the victim's location based on their profile and moving in increments until the victim is no longer in proximity along three different positions and triangulating the data to one spot.
Bumble’s vice president of global communication Gabrielle Ferree told the website that they “swiftly resolved the issues outlined” with its distance filter last year. Hily co-founder and chief technology officer Dmytro Kononov said in a statement that an investigation revealed “a potential possibility for trilateration” but “exploiting this for attacks was impossible.”
Happn chief executive officer and president Karima Ben Adelmalek told TechCrunch they discussed trilateration with the Belgian researchers. He says that an additional layer of protection designed to prevent trilateration “was not taken into account in their analysis.”
Grindr’s chief privacy officer Kelly Peterson Miranda noted that users can disable their distance display from their profile. She also noted that “Grindr users are in control of what location information they provide.” Hinge did not respond with a comment.
Other dating apps have taken extra steps to ensure its users are speaking to actual people and not spam bots or fake accounts. Tinder started requiring users in February in the US, UK, Brazil and Mexico to upload a copy of an official driver’s license or passport along with a video selfie as part of a new advanced ID verification system.
Update, July 31, 7:55PM ET: The story was updated to remove the statement that Badoo did not respond to a request for comment. As Badoo is owned by Bumble, Bumble VP Gabrielle Ferree's statement covers both brands.