At IncludeSec we specialize in application security assessment for our clients, that means taking applications apart and finding really crazy vulnerabilities before other hackers do. When we have time off from client work we like to analyze popular apps to see what we find. Towards the end of 2013 we found a vulnerability that lets you get exact latitude and longitude co-ordinates for any Tinder user (which has since been fixed)
Tinder is an incredibly popular dating app. It presents the user with photographs of strangers and allows them to “like” or “nope” them. When two people “like” each other, a chat box pops up allowing them to talk. What could be simpler?
Being a dating app, it’s important that Tinder shows you attractive singles in your area. To that end, Tinder tells you how far away potential matches are:
Before we continue, a bit of history: In July 2013, a different Privacy vulnerability was reported in Tinder. At the time, Tinder was actually sending latitude and longitude co-ordinates of potential matches to the iOS client. Anyone with rudimentary programming skills could query the Tinder API directly and pull down the co-ordinates of any user.
I’m going to talk about a different vulnerability that’s related to how the one described above was fixed. In implementing their fix, Tinder introduced a new vulnerability that’s described below.
By proxying iPhone requests, it’s possible to get a picture of the API the Tinder app uses. Of interest to us today is the
user endpoint, which returns details about a user by id. This is called by the client for your potential matches as you swipe through pictures in the app.
Here’s a snippet of the response:
Tinder is no longer returning exact GPS co-ordinates for its users, but it is leaking some location information that an attack can exploit. The
distance_mi field is a 64-bit double. That’s a lot of precision that we’re getting, and it’s enough to do really accurate triangulation!
As far as high-school subjects go, trigonometry isn’t the most popular, so I won’t go into too many details here. Basically, if you have three (or more) distance measurements to a target from known locations, you can get an absolute location of the target using triangulation1. This is similar in principle to how GPS and cellphone location services work.
I can create a profile on Tinder, use the API to tell Tinder that I’m at some arbitrary location, and query the API to find a distance to a user. When I know the city my target lives in, I create 3 fake accounts on Tinder. I then tell the Tinder API that I am at three locations around where I guess my target is. Then I can plug the distances into the formula on this Wikipedia page.
To make this a bit clearer, I built a webapp….
Before I go on, this app isn’t online and we have no plans on releasing it. This is a serious vulnerability, and we in no way want to help people invade the privacy of others. TinderFinder was built to demonstrate a vulnerability and only tested on Tinder accounts that I had control of.
TinderFinder works by having you input the user id of a target (or use your own by logging into Tinder). The assumption is that an attacker can find user ids fairly easily by sniffing the phone’s traffic to find them.
First, the user calibrates the search to a city. I’m picking a point in Toronto, because I will be finding myself.
I can locate the office I sat in while writing the app:
I can also enter a user-id directly:
And find a target Tinder user in NYC