Grindr is a dating app designed to allow gay men to easily arrange casual hook-ups with other nearby gay men. With more than 5 million users each month (and 10 million downloads), the app is certainly popular, but how many of its users would be happy to know that a simple hack can be used to pinpoint their location at any time to within a foot, and to construct detailed histories of their movements?
Hackers can use a technique known as trilateration to pinpoint users’ location
’1) Grindr willingly shares location-based data about its users down to incredible high level of accuracy (<1ft). Any user, or anonymous attacker, can directly query the server to gain access to this data. Moreover by spoofing locations, an attacker can gather information about any and all users in any location.
2) Although the Grindr app provided the means for a user to disable location-based sharing, this setting was only respected in the app’s user interface. The user’s location was still transmitted to the Grind’s server, and thus retrievable by anyone (by means of issue #1).’
Location information can be accurate ‘down to the centimeter’
Almost as alarming is the fact that although Grindr has been aware of the problem for some 4 months, its only solution thus far has been to recommend that users disable the ‘show distance option in Settings’, and to disable location tracking in countries where homosexuality is illegal, or can lead to physical violence – notably Russia, Egypt, Saudi Arabia, Nigeria, Liberia, Sudan and Zimbabwe.
This last measure was introduced only when Grindr was alerted that Egyptian police were using the app to track down, arrest and persecute users.
Armed with detailed location information, a detailed picture of users’ movements can be built-up
Researcher Colby Moore explained to Ars Technica that as a proof-of-concept attack, his team tracked the daily activities of volunteers using Grindr location information. When this was cross-referencing with Grinder and other social media profile data, together with public records, they were able to uncover the identities of the volunteers,
‘Using the framework we developed, we were able to correlate identities very easily. Most users on the application share lots and lots of additional personal details such as race, height, weight, and a photo. Many users also linked to social media accounts within their profiles. The concrete example would be that we were able to replicate this attack multiple times on willing participants without fail.’
It is therefore possible to use the app to pinpoint gay mens’ locations, and to individually identify them.
In counties other than those were location tracking has been disabled by default, the report concludes that the measures taken by Grindr to address the issues once it became aware of them are insufficient,
‘However, Grindr has not addressed the real-time tracking of users down to the centimeter in other countries such as the United States. As a result, the original vulnerability identified by Colby Moore of Synack Research has not been comprehensively addressed as an attacker can still track a Grindr user in real time from home, to the gym, to their job, out in the evening, etc. and determine patterns in behavior.’
Syanck’s recommendations therefore remain unchanged,
‘Synack recommends that Grindr customers delete and stop use of the Grindr app until the vendor has addressed the first vulnerability detailed in this advisory.
Workarounds: Turn off location services “show distance” for the Grindr app. Note that this will have an impact on application usability given the purpose of the application and will not wholly eliminate the risk of information disclosure as the user’s precise location is still being transmitted to Grindr and the user will show as a ‘nearby’ user to others.’
The problem, however, is not unique to the Grindr app. Moore notes that his team concentrated on Grindr because gay men are often adversely targeted, but warned that,
‘It’s not just Grindr that’s doing this. I’ve looked at five or so dating apps and all are vulnerable to similar vulnerabilities.’