Vulnerabilities in Dating Apps Exposed Users to Location Tracking, Researchers Find

Researchers have uncovered critical vulnerabilities in several popular dating apps, including Bumble and Hinge, which allowed stalkers to pinpoint users' locations to within 2 meters. This finding raises significant concerns about user privacy and safety in the digital dating space.

A study conducted by researchers at KU Leuven in Belgium analyzed 15 widely used dating apps and identified vulnerabilities in Badoo, Bumble, Grindr, Happn, Hinge, and Hily. These apps, while not sharing exact locations on user profiles, used precise locations for their filtering features, which could be exploited to reveal a user's near-exact position.

The Oracle Trilateration Technique

The researchers employed a method they called "oracle trilateration" to determine users' locations. Traditional trilateration, like that used in GPS, relies on three known points to calculate the target's location by intersecting circles around these points. Oracle trilateration improves this process by estimating the victim’s location based on profile data and refining it by incrementally adjusting the position until the target's proximity changes, allowing for pinpoint accuracy.

Researchers' Findings and App Responses

"It was somewhat surprising that known issues were still present in these popular apps," said Karel Dhondt, one of the researchers. Although this technique doesn't reveal exact GPS coordinates, "2 meters is close enough to pinpoint the user," he added.

Following the discovery, the affected apps implemented fixes to mitigate the vulnerability. They adjusted their distance filters to round up coordinates by three decimals, increasing location uncertainty to about one kilometer.

A Bumble spokesperson confirmed that the company addressed these vulnerabilities swiftly after being notified in early 2023. Similarly, Hily's CTO, Dmytro Kononov, stated that while the vulnerability was theoretically possible, internal mechanisms and search algorithms made practical exploitation unlikely. He added that Hily has since updated its geocoding algorithms to eliminate the risk entirely.

Reactions from Other Apps

Badoo and Hinge did not respond to requests for comment. However, Happn’s CEO, Karima Ben Abdelmalek, stated that their additional security measures make the trilateration technique ineffective. Grindr, another app mentioned in the study, was found to allow location tracking to within 111 meters. Grindr's Chief Privacy Officer, Kelly Peterson Miranda, emphasized that the proximity feature is crucial for connecting users within the LGBTQ+ community, but users can choose to hide their distance.

Implications for User Safety

While some apps have significantly improved their security, the findings highlight the ongoing need for robust privacy protections in dating apps. The ability for malicious actors to track users so precisely poses a significant threat, especially in densely populated areas.