Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy

Bumble and Hinge Allowed Stalkers To Pinpoint Users' Locations Down To 2 Meters, Researchers Say (techcrunch.com) 23

An anonymous reader quotes a report from TechCrunch: A group of researchers said they found that vulnerabilities in the design of some dating apps, including the popular Bumble and Hinge, allowed malicious users or stalkers to pinpoint the location of their victims down to two meters. In a new academic paper, researchers from the Belgian university KU Leuven detailed their findings (PDF) when they analyzed 15 popular dating apps. Of those, Badoo, Bumble, Grindr, happn, Hinge and Hily all had the same vulnerability that could have helped a malicious user to identify the near-exact location of another user, according to the researchers. While neither of those apps share exact locations when displaying the distance between users on their profiles, they did use exact locations for the "filters" feature of the apps. Generally speaking, by using filters, users can tailor their search for a partner based on criteria like age, height, what type of relationship they are looking for and, crucially, distance.

To pinpoint the exact location of a target user, the researchers used a novel technique they call "oracle trilateration." In general, trilateration, which for example is used in GPS, works by using three points and measuring their distance relative to the target. This creates three circles, which intersect at the point where the target is located. Oracle trilateration works slightly differently. The researchers wrote in their paper that the first step for the person who wants to identify their target's location "roughly estimates the victim's location," for example, based on the location displayed in the target's profile. Then, the attacker moves in increments "until the oracle indicates that the victim is no longer within proximity, and this for three different directions. The attacker now has three positions with a known exact distance, i.e., the preselected proximity distance, and can trilaterate the victim," the researchers wrote.

"It was somewhat surprising that known issues were still present in these popular apps," Karel Dhondt, one of the researchers, told TechCrunch. While this technique doesn't reveal the exact GPS coordinates of the victim, "I'd say 2 meters is close enough to pinpoint the user," Dhondt said. The good news is that all the apps that had these issues, and that the researchers reached out to, have now changed how distance filters work and are not vulnerable to the oracle trilateration technique. The fix, according to the researchers, was to round up the exact coordinates by three decimals, making them less precise and accurate.

This discussion has been archived. No new comments can be posted.

Bumble and Hinge Allowed Stalkers To Pinpoint Users' Locations Down To 2 Meters, Researchers Say

Comments Filter:
  • by larwe ( 858929 ) on Wednesday July 31, 2024 @05:10PM (#64670846)
    Honestly, what is the expectation here? This technique is not in general novel, analogous techniques were being used for RDF and zeroing weapon aim points at _least_ in the 1930s if not earlier. These apps allow strangers to find potential intimate partners with various filter criteria. This is INHERENTLY dangerous for people who intend to partipcate, because there is no way to filter on "is the person at the other end of this communication path a psycho/rapist/murderer?"
    • psycho/rapist/murderer

      Or, statistically most likely, is the ex looking for and capable of such such behaviour after the breakup?

      Cos yes, it's almost always someone the victim knows well.

      • by larwe ( 858929 )
        I count "ex" in the "psycho" category but yes - your point is well taken. I do watch a lot of Law And Order: SVU :)
    • Honestly, what is the expectation here? ... This is INHERENTLY dangerous for people who intend to partipcate, because there is no way to filter on "is the person at the other end of this communication path a psycho/rapist/murderer?"

      The psycho filtering is generally meant to be handled using the chat functionality in the app. The expectation is that you decide if you feel safe meeting someone before giving them a precise place to find you. It's a significant problem if someone can pinpoint your location before you've made that choice.

      • by larwe ( 858929 )
        But there is literally no way to avoid that precise location if there is a "location" filter in the app. No matter how granular it is. Even if it's, say, a five mile radius - you can simply spoof your location, keep polling for "is this person in range now?" and easily figure out, to high accuracy, where the person really is.
        • Surely we can design a solution. Off the top of my head, we could devise a fairly foolproof solution by having the user's location offset by a random 0.5-1 mile distance in a random direction for the purposes of others computing whether they meet the distance filter. Or add some level of fuzziness on the filtering side so that when you specify "within five miles of me" you're actually seeing people within a regularly rotated random distance of between 5-7 miles.

          I don't use these apps, but I can't imagin

          • by larwe ( 858929 )
            OK, so you say "random offset". Does the site record the actual location, and add a random factor every time someone queries it? If so, it can be attacked by querying repeatedly to form a probability relief map which will peak where the user actually is. If the site picks one random factor and stirs it in once, it's going to be vulnerable to attacks when the target user moves and the site needs to update its fake-location for that user. This is a very nontrivial problem to solve, given that the use case for
            • No randomness necessary, reduce the precision of all locations such that nothing is resolved to finer than say a 500mx500m grid.

  • by gweihir ( 88907 ) on Wednesday July 31, 2024 @05:18PM (#64670866)

    ... get stupid code. This is a vulnerability so obvious that any smart and educated person can find it with a few minutes of thinking.

  • Vulnerabilities??? (Score:4, Insightful)

    by SvnLyrBrto ( 62138 ) on Wednesday July 31, 2024 @05:41PM (#64670922)

    These are not dating apps, they're hookup apps. And clearly none of these "reseachers" have actually used them for their intended purpose. If they had, they would know that the geo-location and matching to other users in close proximity is the entire POINT. We're not talking about a site like OK Cupid where one would try to find a soul mate and slowly get to know each other, first over online chat, then coffee, then dinner and a movie, then on the third IRL date if you're connecting emotionally and maybe into having a relationship so now you have sex. One does not fire up Grindr for that. You open up Grindr because you're horny and you want to get laid now, Now, NOW by someone you consider a hottie who is in close proximity.

    This "vulnerability" is no such thin. It's not even a bug. It's a feature.

  • by Anonymous Coward

    ... just not when the RNC is in town!

    • ... just not when the RNC is in town!

      I've fucked Republicans...many who proclaimed themselves to be future TradWife Christian Conservatives who would never have premarital sex (and obviously I didn't marry any of them)....the repressed sex is HOT and those who proclaim their purity the loudest tend to be freakiest.

      So if fucking uptight Christian Conservative women was so fucking hot and wild....what about closeted men?

      I have a buddy who bragged about this...said fucking straight guys...the more conservative, the better, is by far the fr

  • Could just add or subtract a nominal distance from the reported result, does any user actually care if someone is 25km away vs 27 or 23?
    Admittedly, using this method you could still defeat this by populating the search with more queries to generate a heatmap of probability.
    Probably better to calculate distance from the Suburb centre!

  • I misread the headline as allowing a stalker to pinpoint someone up to 2m underground.

    Seemed like the sorta thing only someone who kept someone underground would use.

"Facts are stupid things." -- President Ronald Reagan (a blooper from his speeach at the '88 GOP convention)

Working...