Security issues in gay dating app Grindr exposed users' locations
Two security issues have been discovered in Grindr, the gay dating app, which could reveal the location of users even if they opted to keep this information private. There are concerns that the privacy compromise could lead to harassment of Grindr users.
Trevor Faden created a site called C*ckBlocked (that's the actual name, we're not being prudish and getting out our censorship pens) which was designed to give Grindr users the chance to see who had blocked them. By exploiting a security loophole similar to the one exposed in the recent Facebook/Cambridge Analytica scandal, Faden's site was able to access a wealth of private data including deleted photos and user locations.
- Facebook makes its privacy settings easier to find -- including the option to delete your Facebook data
- Nearly a third of tech workers are ready to #DeleteFacebook
- Facebook places full-page ads in British and American newspapers to apologize for Cambridge Analytica data leak
- Privacy: Facebook has been collecting call and text data from Android users
On C*ckBlocked, people were invited to provide their username and password so they could find out which other Grindr users had blocked them. A privacy flaw in the API that allowed third parties access to Grindr data meant that the site was not only able to show publicly available data, but also that which had supposedly been kept private.
NBC News reports that Faden was able to determine the location of users after they connected their Grindr profile to C*ckBlocked, even though they'd opted to hide this data from public view. Faden says:
One could, without too much difficulty or even a huge amount of technological skill, easily pinpoint a user's exact location.
If this security flaw was not enough, Faden also discovered another issue which was not reliant on users logging into their profiles or connecting it to a third-party site. NBC News explains:
Grindr requires users to send location data to its servers in order for the app to work. Some of that information is not encoded, meaning that passive observers of internet traffic -- for instance, on a public Wifi network watched over by a country's government -- can identify the location of anyone who opens the app.
Since the problems were exposed, Grindr has since patched its APIs to prevent access to data in the way C*ckBlocked did -- Faden's site has also closed down as a result.