If you are looking for a date, Tinder is pretty neat. If you are concerned about your privacy, it is less than ideal. To shed light on this privacy issue and show why it is problematic, we built a Chrome plugin to stalk our friends and pinpoint their location. Although this blog post is focused on Tinder, this issue is widespread and can be found in every application using location in a similar fashion. We decided to focus on Tinder based on its popularity and the fact that its users do not seem to be aware of the risks. This is not the first time privacy has been discussed, but it has not received the attention it deserves. Credit to others follows. Note: Prior to publishing this write-up, we contacted Tinder. The Tinder Groups feature was removed soon after, but it is impossible to say whether this was related to the findings described below. The privacy issue, however, still exists. What we did and what can happen Any one of your Facebook friends — your partner, your boss or just your over-protective mom — can see you as a dot on a map, whenever they like, updated live. Every person you match with on Tinder can do this as well. Sounds a bit creepy? However, the scenario described above is reality if you are using Tinder Groups. Even if you are very strict about your Facebook friends and only befriend those you trust with your location, are you sure that they have not been hacked? Bundled together with this is the ability to track a user based on the user ID. The end result is a user-friendly plugin that can be operated by anyone. Triangulating our unknowing victim by using our plugin. The plugin does all the heavy lifting, which is what makes all this a bit scary. A further development of the plugin, left as an exercise for the reader, would be to make one big map with a dot for each and every one of your friends, constantly updated with data from Tinder. With Burp running on a laptop nearby, all we had to do was install Tinder on a phone, proxy all traffic through the laptop and start to listen. No cert-pinning or similar techniques to keep in mind. There is also unofficial on Github if you want a head start. Soon after logging in to Tinder all the API requests can be seen flying by. Looking at this, it becomes clear that the API was once very verbose, something Tinder later tried to fix. Age is sent as a fake date of birth that then is calculated client-side, everyone seems to have been last active in 2014, and so on. Placeholders cover a lot of data points and we became curious about what we would have found had we looked into this earlier. One of the data points is the distance from you to the target. In each request to the API some information such as authorisation tokens and installation ID is sent. During the debugging part this is not a problem, but it makes creating a user-friendly PoC harder. We missed it in the beginning of this project, but Tinder actually has a as well. This becomes very handy here, as we can let the original web app deal with the whole authorisation part and then just use the token. As the token was saved in localStorage it can be retrieved with JavaScript: localStorage. The web version is more limited than the mobile application, but we can use the token from web with the endpoints from mobile, so this is not a problem in our case. Nothing dramatic, but a trick to keep in mind. Tinder Groups It must be noted that Tinder Groups is opt-in. Not everyone who uses Tinder uses Tinder Groups. The privacy issue described below has been reported to Tinder before, but Tinder responded that the Groups feature is opt-in. However, many Tinder users we asked did not know they had enabled the feature, so it can clearly be done unintentionally. To see if you are affected, open Tinder and navigate to Tinder Groups. If this works, the feature is enabled and you can disable it in settings. If Tinder Groups is not enabled, the app will prompt you to enable the feature and you can, of course, politely decline. Internally, Tinder Groups seems to be called Tinder Squads. References can be found in code and endpoints. With the Tinder User IDs of our Facebook friends we are able to request all public information about their profiles. This is the data you normally see when matching with someone: all pictures, bio, age, distance, and so on. This information is interesting, but not sensitive. It is also considered public, but you might not expect your friends to get hold of it. Triangulate users Now we are getting to the good stuff. See where this is taking us? Max Veytsman showed the possibility to back in 2014, long before Tinder Groups. There seems to be some kind of protection in place against quickly changing your position, but it is not documented and we never figured out exactly how it works. One time we were able to jump between countries within seconds and everything worked out fine, but for the most part you get a error back when you change the location too quickly. Some more guesses, but no absolute facts, can be found on. There is a premium Tinder feature that allows the user to manually set the location. This might render triangulation more efficient. When Max Veytsman pointed this out back in 2014 Tinder used a float a number with decimals for distance, meaning you could get an exact distance by triangulating a user. In response to his findings they changed it to an integer. Had they stopped there it would still be possible to get an exact position by increasing the distance a bit each time until the counter changes to the next integer. However, we could not do this, which makes us think some kind of arbitrary distance preventing this type of triangulation has been implemented. As a result, our accuracy in triangulating a user is limited to about a kilometer for now, but it cannot be ruled out that higher accuracy could be acquired if some more time were spent on figuring this part out. The result of the triangulation can be found in the introduction of this blog post, and it should be fairly obvious how it was done. This method still works at the time of writing and will probably continue to work for long. What is the solution? What you can do Make sure Tinder Groups is not enabled. This will prevent Facebook friends from finding out your Tinder User ID as easily, but it does not do anything against the tracking issue. If your location being publicly disclosed is a problem — delete the app. What Tinder can do They could have made our research harder, but they could not have stopped it. For their business model to work, the location needs to be exposed publicly, always allowing for these kinds of tricks to be pulled. We did not spend enough time playing around with the distance, but it would be possible to make it even more accurate with some statistical analysis of multiple requests. However, it seems like Tinder has actually tried to hide the location as much as can be expected from them. Trying to be a bit philosophical As this issue can never be fully protected against anyway, maybe the right answer is to not obfuscate anything? Security by obfuscation and all that. Trying to hide the information creates a false sense of privacy for the user. Maybe the general public is okay with this, and those who care are in the minority? When Snapchat people jumped aboard with little to no hesitation, sharing their exact location with anyone willing to stalk them. We talked to some of our Facebook friends we found on Tinder and can confirm that not everyone is happy to be stalked. The point we are trying to make here is that there are no existing solutions to this but to spread awareness. If you believe your privacy is worth less than the possibility of a Tinder date, then for all means go ahead and continue using apps like these, but you should have a chance of knowing what you are doing. Linus Särud Fredrik Almroth.
