Well, this is more than a little creepy. A gaping flaw in the app Tinder let users track one another’s locations in real time until the end of 2013, Web security experts revealed Wednesday. It wouldn't have been easy, but it wouldn't have been all that hard, either: Using three different user accounts and some basic programming skills, Tinder users could have triangulated one another’s physical locations within 100 feet of accuracy until the security hole was fixed at the end of last year.
Tinder is the third major tech company to be hacked in three months, after Snapchat and Kickstarter suffered security breaches of their own. If you didn't know already, Tinder is a popular dating app that allows users to view the profiles and pictures of people nearby who also use Tinder, in hopes of finding a match. Because the very concept of the service is based around tracking users’ locations, all of the information required for triangulation was contained on the Tinder servers.
The flaw has since been fixed, and Tinder claims they have no record of anyone actually using the technique to track somebody else.
In a rather embarrassing twist, the flaw was discovered by mistake. Include Security is a security consulting firm that, in between doing security check-ups for big tech clients, “flexes its hacking muscles” by trying to break into smaller apps. That’s how they discovered the flaw in Tinder, and even though they notified the app’s makers in October, Include Security says they were still able to use the gap to track users’ locations until Jan. 1, 2014.
Include Security detailed the process in a lengthy blog post, and demonstrated how the security flaw could be exploited in an accompanying video.
Awkward, Tinder. Very awkward.