Bumble and Hinge Allowed Stalkers To Pinpoint Users' Locations Down To 2 Meters, Researchers Say

An anonymous reader quotes a report from TechCrunch: A group of researchers said they found that vulnerabilities in the design of some dating apps, including the popular Bumble and Hinge, allowed malicious users or stalkers to pinpoint the location of their victims down to two meters. In a new academic paper, researchers from the Belgian university KU Leuven detailed their findings (PDF) when they analyzed 15 popular dating apps. Of those, Badoo, Bumble, Grindr, happn, Hinge and Hily all had the same vulnerability that could have helped a malicious user to identify the near-exact location of another user, according to the researchers. While neither of those apps share exact locations when displaying the distance between users on their profiles, they did use exact locations for the "filters" feature of the apps. Generally speaking, by using filters, users can tailor their search for a partner based on criteria like age, height, what type of relationship they are looking for and, crucially, distance.

To pinpoint the exact location of a target user, the researchers used a novel technique they call "oracle trilateration." In general, trilateration, which for example is used in GPS, works by using three points and measuring their distance relative to the target. This creates three circles, which intersect at the point where the target is located. Oracle trilateration works slightly differently. The researchers wrote in their paper that the first step for the person who wants to identify their target's location "roughly estimates the victim's location," for example, based on the location displayed in the target's profile. Then, the attacker moves in increments "until the oracle indicates that the victim is no longer within proximity, and this for three different directions. The attacker now has three positions with a known exact distance, i.e., the preselected proximity distance, and can trilaterate the victim," the researchers wrote.

"It was somewhat surprising that known issues were still present in these popular apps," Karel Dhondt, one of the researchers, told TechCrunch. While this technique doesn't reveal the exact GPS coordinates of the victim, "I'd say 2 meters is close enough to pinpoint the user," Dhondt said. The good news is that all the apps that had these issues, and that the researchers reached out to, have now changed how distance filters work and are not vulnerable to the oracle trilateration technique. The fix, according to the researchers, was to round up the exact coordinates by three decimals, making them less precise and accurate.

Protection?

[larwe]

Honestly, what is the expectation here? This technique is not in general novel, analogous techniques were being used for RDF and zeroing weapon aim points at _least_ in the 1930s if not earlier. These apps allow strangers to find potential intimate partners with various filter criteria. This is INHERENTLY dangerous for people who intend to partipcate, because there is no way to filter on "is the person at the other end of this communication path a psycho/rapist/murderer?"

Re: Protection?

[pitch2cv]

psycho/rapist/murderer

Or, statistically most likely, is the ex looking for and capable of such such behaviour after the breakup?

Cos yes, it's almost always someone the victim knows well.

Re:

[larwe]

I count "ex" in the "psycho" category but yes - your point is well taken. I do watch a lot of Law And Order: SVU :)

Re:

[cmseagle]

Honestly, what is the expectation here? ... This is INHERENTLY dangerous for people who intend to partipcate, because there is no way to filter on "is the person at the other end of this communication path a psycho/rapist/murderer?"

The psycho filtering is generally meant to be handled using the chat functionality in the app. The expectation is that you decide if you feel safe meeting someone before giving them a precise place to find you. It's a significant problem if someone can pinpoint your location before you've made that choice.

Re:

[larwe]

But there is literally no way to avoid that precise location if there is a "location" filter in the app. No matter how granular it is. Even if it's, say, a five mile radius - you can simply spoof your location, keep polling for "is this person in range now?" and easily figure out, to high accuracy, where the person really is.

Re:

[cmseagle]

Surely we can design a solution. Off the top of my head, we could devise a fairly foolproof solution by having the user's location offset by a random 0.5-1 mile distance in a random direction for the purposes of others computing whether they meet the distance filter. Or add some level of fuzziness on the filtering side so that when you specify "within five miles of me" you're actually seeing people within a regularly rotated random distance of between 5-7 miles.

I don't use these apps, but I can't imagin

Re:

[larwe]

OK, so you say "random offset". Does the site record the actual location, and add a random factor every time someone queries it? If so, it can be attacked by querying repeatedly to form a probability relief map which will peak where the user actually is. If the site picks one random factor and stirs it in once, it's going to be vulnerable to attacks when the target user moves and the site needs to update its fake-location for that user. This is a very nontrivial problem to solve, given that the use case for

Re:

[belg4mit]

No randomness necessary, reduce the precision of all locations such that nothing is resolved to finer than say a 500mx500m grid.

Hire stupid coders...

[gweihir]

... get stupid code. This is a vulnerability so obvious that any smart and educated person can find it with a few minutes of thinking.

Vulnerabilities???

[SvnLyrBrto]

These are not dating apps, they're hookup apps. And clearly none of these "reseachers" have actually used them for their intended purpose. If they had, they would know that the geo-location and matching to other users in close proximity is the entire POINT. We're not talking about a site like OK Cupid where one would try to find a soul mate and slowly get to know each other, first over online chat, then coffee, then dinner and a movie, then on the third IRL date if you're connecting emotionally and maybe into having a relationship so now you have sex. One does not fire up Grindr for that. You open up Grindr because you're horny and you want to get laid now, Now, NOW by someone you consider a hottie who is in close proximity.

This "vulnerability" is no such thin. It's not even a bug. It's a feature.

Re:

[larwe]

Even a rough estimate of distance can leak your precise location. Consider that you can change YOUR putative location and zero in on a range, then move to a different fake location and range in from there, and immediately discern precisely where your target is.

Re:

[dgatwood]

Even a rough estimate of distance can leak your precise location. Consider that you can change YOUR putative location and zero in on a range, then move to a different fake location and range in from there, and immediately discern precisely where your target is.

Not necessarily. A reasonable algorithm would be to always say that the person is in the exact center of a neighborhood if you're in a large city, or the nearest town or census-designated place otherwise. So if you're in Central park and haven't agreed to talk to the person, it might say you're on the Great Lawn, or it might arbitrarily assign you to the middle of either the Upper East Side or Upper West Side neighborhood. Either way.

That would allow you to know that if you're in Massachusetts somewhere,

Re:

[dgatwood]

Not necessarily. A reasonable algorithm would be to always say that the person is in the exact center of a neighborhood if you're in a large city, or the nearest town or census-designated place otherwise

Another reasonable approach would be simple quantization. Round the latitude and longitude to two decimal places in cities or one decimal place in rural areas. No matter how many ways you try to triangulate the rounded value, you're still going to get the same point, which is going to be within a few blocks or a few miles of the person's actual location.

Re:

[larwe]

OK, sure. Another reasonable approach with somewhat coarser granularity would be to locate the user "3rd planet from the sun" - #undef _SARCASM. The problem with quantizing is that it defeats the purpose of "am I close enough to go hook up with this individual without great inconvenience? Can I get my rocks off with a short walk, or will it be a subway ride with three changes and a corresponding deflation of ardor?". I am not involved with any of these apps as either a dev or a user, but my understanding fr

Re:

[dgatwood]

OK, sure. Another reasonable approach with somewhat coarser granularity would be to locate the user "3rd planet from the sun" - #undef _SARCASM. The problem with quantizing is that it defeats the purpose of "am I close enough to go hook up with this individual without great inconvenience? Can I get my rocks off with a short walk, or will it be a subway ride with three changes and a corresponding deflation of ardor?".

That's why I specified the intervals that I did. A position quantized to 1/100th of a degree is quantized on a 0.69-mile interval, and because your position is precisely known, this means the person can be at most about a third of a mile closer or farther from you on either axis. That's one subway stop in NYC. This is not a huge distance. But I suppose you could cut that in half, because being accurate to a specific subway stop instead of +/- 1 would probably be an improvement. Either way, if you can't

Now try Grindr

[Anonymous Coward]

... just not when the RNC is in town!

If I were gay, that would be my favorite time...

[Somervillain]

... just not when the RNC is in town!

I've fucked Republicans...many who proclaimed themselves to be future TradWife Christian Conservatives who would never have premarital sex (and obviously I didn't marry any of them)....the repressed sex is HOT and those who proclaim their purity the loudest tend to be freakiest.

So if fucking uptight Christian Conservative women was so fucking hot and wild....what about closeted men?

I have a buddy who bragged about this...said fucking straight guys...the more conservative, the better, is by far the fr

Ideas to defeat this attack:

[Lefty2446]

Could just add or subtract a nominal distance from the reported result, does any user actually care if someone is 25km away vs 27 or 23?
Admittedly, using this method you could still defeat this by populating the search with more queries to generate a heatmap of probability.
Probably better to calculate distance from the Suburb centre!

Re: Ideas to defeat this attack:

[pitch2cv]

I used to use my mobile OS's fake location feature, and had it put my a couple streets away. Not to avoid stalkers specifically, but just to protect my privacy from any such intrusive apps.

Misreading Fail

[Gilmoure]

I misread the headline as allowing a stalker to pinpoint someone up to 2m underground.

Seemed like the sorta thing only someone who kept someone underground would use.