Badoo, Bumble, Grindr allow stalkers to know the location of their potential victims

MADRID (Portaltic/EP) – Dating apps such as Badoo, Bumble, Grindr, Hinge and Hily allowed malicious users and harassers to know the location of their potential victims with an accuracy of up to two metres due to a mismatch in the operation of their application programming interfaces (APIs).

Researchers at Belgium’s KU Leuven University analyzed 15 popular apps of this type – with at least 10 million downloads in total – and found that six of them made the same mistake, according to a new academic paper.

In this report, they carried out an assessment of the personal and confidential data that is shared with other users when using these apps. That is, the data that these people show to others intentionally and the data that is offered without their authorization, which comes from “inadvertent leaks” of the API on which these services are based.

This inadvertent sharing refers to information that does not appear in the user interface and that a malicious actor can retrieve for their benefit. This “directly conflicts with the user’s perception of what they are sharing and what others may know about them.”

It is worth remembering that most of these services are based on location, a format called LBD. This means that they require users to have the location of their device activated in order to work and show them people who may fit what they are looking for within a previously configured maximum distance.

One of the main conclusions of this study is related to the geolocation services of these applications. To reach this conclusion and to understand the risks to which users are exposed, a three-phase analysis was proposed.

We first looked at how easily a malicious actor can create an account on these apps to collect other users’ private data. We then measured the personal data these apps share, including sensitive dating data and users’ exact locations. Finally, we examined how these apps’ privacy policies address the collection and potential leakage of personal data.

To assess whether these apps can extract information about a user’s exact location without their knowledge, the researchers applied a technique called trilateration.

GPS works through a technique called trilateration, which collects signals from satellites to send location information based on three points that allow the relative distance to a target to be calculated.

This trilateration is divided into three categories, such as exact distance trilateration, rounded distance trilateration and oracle trilateration, which give more or less approximate information about the location of the target user.

In this regard, the Belgian academics have discovered that of all the apps analysed, Hinge, Happn, Bumble, Grindr, Badoo and Hily would have exposed information related to the location of their users because their APIs filter hidden data without the users being aware that they are sharing it.

Because stalkers and malicious actors could have been shown the near-exact location of their potential victims, with an accuracy of up to two meters in some cases, these apps would have enabled “physical threats to users’ personal safety.”

Researchers have also pointed out that apps’ privacy policies also fail to inform users about these threats to their privacy, which they should do so that they can decide what kind of information they want to share knowing that it may be exposed to unauthorized people.

Bumble’s Vice President of Global Communications – which also owns Badoo – Gabrielle Ferree said the firm “was made aware of these findings in early 2023 and quickly resolved the issues described,” as reported by media outlets such as TechCrunch.

Hily CTO and co-founder Dmytro Kononov said the company had received a report about the breaches in May 2023 and had begun an investigation to assess the damage.

“The results indicated a potential possibility of trilateration. However, in practice, exploiting this to carry out attacks was impossible,” he said, as it uses a number of internal spam protection mechanisms. They also developed new geocoding algorithms “to completely eliminate this attack.”

For its part, Happn has pointed out that “it has an additional layer of protection beyond the simple measurement of distances, which was not taken into account in the analysis. [de los investigadores belgas] and that makes the trilateration technique ineffective,” said the app’s CEO and president, Karima Ben Abdelmalek.

As for Grindr, analysts found that it could locate a person within 111 metres of their exact coordinates. Although not as precise as other apps, this feature would still be potentially dangerous for users.

However, its managers have stressed that “as with many other social networks”, their application requires certain location information and that users “control what information they provide” related to it.

SALE OF DATA FOR ADVERTISING PURPOSES

In addition to sharing users’ locations, the Mozilla Foundation recently discovered that many of these apps have the ability to share or sell their users’ personal information.

Researchers found that of the 25 dating apps analysed – including Badoo, Muzz, Her, Tinder, Match, Tinder and Bumble – only three were rated as data protection and privacy-friendly. Namely, Lex, eHarmony and Happn.

The rest would have provided, at a minimum, the information that users add to their profile descriptions for advertising purposes, since others such as OkCupid force users to share photos, videos and voice content to better understand users and offer a more personalized experience.