Bumble and Hinge allowed stalkers to pinpoint users' locations down to 2 meters
Researchers from KU Leuven found vulnerabilities in dating apps like Bumble and Hinge, allowing stalkers to pinpoint users' locations. Affected apps have since improved their distance filters to enhance user privacy.
Read original article
Researchers from KU Leuven have identified vulnerabilities in popular dating apps, including Bumble and Hinge, that allowed stalkers to determine users' locations with a precision of up to 2 meters. The study analyzed 15 dating apps and found that several, including Badoo, Grindr, and Hily, shared this flaw. Although these apps do not display exact locations, they utilize precise coordinates for their distance filters, which can be exploited using a method called "oracle trilateration." This technique involves estimating a target's location and then adjusting proximity until the exact position is triangulated.
The researchers expressed surprise that such vulnerabilities persisted in widely used applications. However, following their findings, all affected apps have since modified their distance filter mechanisms to mitigate the risk, rounding coordinates to reduce precision to approximately one kilometer. Bumble confirmed it addressed the issue promptly after being informed in early 2023. Hily's CTO stated that while the potential for trilateration existed, their internal protections made exploitation impractical. Grindr, which rounds user locations to 111 meters, defended its approach as a necessary feature for connecting users within the LGBTQ+ community.
The study highlights ongoing concerns about user privacy and security in location-based services, emphasizing the need for robust protective measures in app design.
Related
Leaking URLs to the Clown
The author describes leaking URLs during Mac app testing, with a unique URL receiving requests from a random "cloud" service every three hours. This raises privacy concerns and highlights potential risks for users.
3M iOS and macOS apps were exposed to potent supply-chain attacks
Vulnerabilities in CocoaPods server exposed 3 million apps to supply-chain attacks for a decade. Flaws allowed hackers to inject malicious code, compromising sensitive user data. Developers urged to prioritize security measures.
'Can I log into my partner's device?'
A leak from mSpy revealed Australian officials using stalkerware to spy on family, victims, and suspects. Concerns arise over privacy violations and misuse of surveillance technology, urging action against stalkerware.
Firmware Update Hides a Device's Bluetooth Fingerprint
Researchers at UC San Diego created a firmware update to conceal Bluetooth fingerprints, hindering device tracking. The update, presented at a security conference, reduces tracking accuracy, requiring prolonged observation for identification. Industry collaboration is sought.
Data brokers sell our location data and jeopardise national security
A joint investigation uncovers data brokers selling 3.6 billion location data points from Germany, raising national security concerns. Experts question user consent validity under GDPR, urging stricter regulations to safeguard personal data.
3 commentsThe only novel thing here is that these specific apps are vulnerable.
Related
Leaking URLs to the Clown
The author describes leaking URLs during Mac app testing, with a unique URL receiving requests from a random "cloud" service every three hours. This raises privacy concerns and highlights potential risks for users.
3M iOS and macOS apps were exposed to potent supply-chain attacks
Vulnerabilities in CocoaPods server exposed 3 million apps to supply-chain attacks for a decade. Flaws allowed hackers to inject malicious code, compromising sensitive user data. Developers urged to prioritize security measures.
'Can I log into my partner's device?'
A leak from mSpy revealed Australian officials using stalkerware to spy on family, victims, and suspects. Concerns arise over privacy violations and misuse of surveillance technology, urging action against stalkerware.
Firmware Update Hides a Device's Bluetooth Fingerprint
Researchers at UC San Diego created a firmware update to conceal Bluetooth fingerprints, hindering device tracking. The update, presented at a security conference, reduces tracking accuracy, requiring prolonged observation for identification. Industry collaboration is sought.
Data brokers sell our location data and jeopardise national security
A joint investigation uncovers data brokers selling 3.6 billion location data points from Germany, raising national security concerns. Experts question user consent validity under GDPR, urging stricter regulations to safeguard personal data.