Privacy: Grindr API is STILL exposing the location of its users
Earlier in the year it was revealed that a security flaw made it possible to determine not only the location, but also the HIV status of Grindr users. Months down the line, Grindr is still exposing the precise location of its users by failing to block third-party access to a private API.
Using a trilateration technique, and exploiting the fact that Grindr lets users know -- with some degree of accuracy -- how far away they are from others, it is very easy for just about anyone to build a tool that shows precise locations.
- Grindr was sharing users' location and HIV status with third parties
- Mozilla to boost Firefox privacy by automatically blocking all tracking
- Privacy: Yahoo still scans your emails... and wants to sell data to advertisers
One such app that has been create is called Fuckr, the code for which was made available on GitHub. As noted by Buzzfeed, the Fuckr repository has been removed from GitHub, but not before numerous forks sprang up -- and not before news of the app had spread.
Because Grindr lets you know how far you are away from other users, it is very easy to use data from nearby locations to home in on an individual. The Grindr API allows unofficial apps like Fuckr to make 600 API request every second, making it possible to quickly track the locations of numerous people. But more than this, it is also possible to cross-reference the Grindr database and pull up a huge amount of information about users, all of which can be posted on an interactive map.
The privacy risk was brought to light by Queer Europe in an article on its website, and a video shared on Twitter:
Applications designed to locate Grindr users are publicly available online, and give anyone access to a virtual map on which you can travel from city to city, and from country to country, while seeing the exact location of cruising men that share their distance online. pic.twitter.com/0IumD6laAE
— Queer Europe ?️? (@QueerEurope) September 13, 2018
The site says:
Besides mapping queer communities, it is also possible to search for the location of an individual user, even if you have no idea where this user is at that particular moment. After you have interacted with a user, for example through a chat message, you can continue to geolocate them later, whenever they share their distance online. As an experiment, a friend allowed me to track him during a Saturday night out. While sitting behind my laptop, I could see in which restaurants he was eating, in which cafes he was drinking, and in which nightclubs he was dancing. I could also see that he went to the gay sauna at 1 a.m. and then slept at a stranger’s house at 3 a.m. By making it so easy to track individuals with precision, Grindr makes its users extremely vulnerable to harassment and stalking.
Back in March -- after the last privacy controversy -- Grindr issued a statement saying that it takes user security very seriously. But as Queer Europe demonstrates, by providing unfettered API access, Grindr facilitates tools that can pinpoint the location of users to between 2 and 5 meters. The author of the blog post notes: "I was able to locate cruising men with an accuracy of two to five meters, which is very precise, and accurate enough to determine in which house and room users are located. The reason why these locations can be determined so precisely, is that Grindr uses a geohash of 12 characters to locate users, which equals to a 'square on an atlas' of 37×18 centimeters."
Queer Europe has a number of suggestions for Grindr to help improve the safety of its users:
The first thing Grindr can do, is disable the distance function of its users by default. Sharing your exact location with anyone in the world should no longer be the standard, especially in countries that clearly promote homophobia. A second step that Grindr can take, is limit the accuracy of the measured distance between users. This will create more uncertainty about their exact location. Thirdly, the speed and magnitude of location changes can be limited, to protect users against trilateration techniques and measurement from arbitrary points. To prevent data harvesting on a large scale, Grindr should also protect its API, by limiting the amount of information that can be requested.
To conclude, Grindr should be more explicit about the ways in which information shared by users can be obtained and processed by third parties. When users enable the option to share their distance on Grindr, they do not expect that this can be used to obtain their exact location. And when users share their sexual position or HIV status in their profile, they do not foresee that anyone can collect this information via Grindr’s servers. It is thus crucial that Grindr informs their users about the dangers they might face. Not in an obscure part of its helpdesk, but right away in Grindr’s interface, and from the moment people start to share their information.
Until Grindr has fixed its problems, the best advice is to install a fake-location app, and spoof your location to a place nearby. By doing this, adversaries might still be able to globally identify in which neighborhood you live, but at least they will not find out in which house you stay, or in whose bed you sleep.