Bumble and Hinge allowed stalkers to pinpoint users’ locations down to 2 meters, researchers say
A group of researchers said they found that vulnerabilities in the design of some dating apps, including the popular Bumble and Hinge, allowed malicious users or stalkers to pinpoint the location of their victims down to 2 meters.
In a new academic paper, researchers from the Belgian university KU Leuven detailed their findings when they analyzed 15 popular dating apps. Of those, Badoo, Bumble, Grindr, happn, Hinge and Hily all had the same vulnerability that could have helped a malicious user identify the near-exact location of another user, according to the researchers.
While neither of those apps share exact locations when displaying the distance between users on their profiles, they did use exact locations for the “filters” feature of the apps. Generally speaking, by using filters, users can tailor their search for a partner based on criteria like age, height, what type of relationship they are looking for and, crucially, distance.
To pinpoint the exact location of a target user, the researchers used a novel technique they call “oracle trilateration.” In general, trilateration, which for example is used in GPS, works by using three points and measuring their distance relative to the target. This creates three circles, which intersect at the point where the target is located.
Oracle trilateration works slightly differently. The researchers wrote in their paper that the first step for the person who wants to identify their target’s location “roughly estimates the victim’s location,” for example, based on the location displayed in the target’s profile. Then the attacker moves in increments “until the oracle indicates that the victim is no longer within proximity, and this for three different directions. The attacker now has three positions with a known exact distance, i.e., the preselected proximity distance, and can trilaterate the victim,” the researchers wrote.
“It was somewhat surprising that known issues were still present in these popular apps,” Karel Dhondt, one of the researchers, told TechCrunch. While this technique doesn’t reveal the exact GPS coordinates of the victim, “I’d say 2 meters is close enough to pinpoint the user,” Dhondt said.
The good news is that all the apps that had these issues, and that the researchers reached out to, have now changed how distance filters work and are not vulnerable to the oracle trilateration technique. The fix, according to the researchers, was to round up the exact coordinates by three decimals, making them less precise and accurate.
“This is approximately an uncertainty of one kilometer,” Dhondt said.
Bumble’s vice president of global communications Gabrielle Ferree said that the company was “made aware of these findings in early 2023 and swiftly resolved the issues outlined.” Ferree also said the issues were fixed in Badoo, which is owned by Bumble.
Dmytro Kononov, CTO and co-founder of Hily, told TechCrunch in a statement that the company received a report on the vulnerability in May 2023 and then did an investigation to assess the researchers’ claims.
“The findings indicated a potential possibility for trilateration. However, in practice, exploiting this for attacks was impossible. This is due to our internal mechanisms designed to protect against spammers and the logic of our search algorithm,” Kononov said. “Despite this, we engaged in extensive consultations with the authors of the report and collaboratively developed new geocoding algorithms to completely eliminate this type of attack. These new algorithms have been successfully implemented for over a year now.”
A Hinge spokesperson said the company “immediately took action” when they received the researchers’ report in early 2023.
Happn CEO and president Karima Ben Abdelmalek told TechCrunch in an emailed statement that the company was contacted by the researchers last year.
“After review by our Chief Security Officer of the research findings, we had the opportunity to discuss the trilateration method with the researchers. However, happn has an additional layer of protection beyond just rounding distances,” said Ben Abdelmalek. “This additional protection was not taken into account in their analysis and we mutually agreed that this extra measure on happn makes the trilateration technique ineffective.”
The researchers also found that a malicious person could locate users of Grindr, another popular dating app, to around 111 meters of their exact coordinates. While this is better than the 2 meters that the other apps allowed, it could still be potentially dangerous, according to the researchers.
“We argue that 111 meters, which is the corresponding distance that goes with this precision, is not sufficient” in areas with a low density of people, such as rural or suburban areas, said Dhondt.
Grindr makes it impossible to go below 111 meters because it rounds users’ precise locations by three decimals. And when they reached out to Grindr, the company said that this was a feature, not a bug, according to the researchers.
Kelly Peterson Miranda, chief privacy officer at Grindr, said in a statement that “for many of our users, Grindr is their only form of connection to the LGBTQ+ community, and the proximity Grindr offers to this community is paramount in providing the ability to interact with those closest to them.”
“As is the case with many location-based social networks and dating apps, Grindr requires certain location information in order to connect its users with those nearby,” Miranda said, adding that users can disable their distance to be displayed if they want. “Grindr users are in control of what location information they provide.”
This story has been updated to include comment from Hinge’s and Badoo’s spokespeople.