It's a horrible shame that many developers don't think through the consequences of their implementations before publishing services that trade in personal information. The technique published in this disclosure, as well as the fact that the service sent users' exact coordinates before July, should have been some of the most obvious concerns in building a service that shares one's picture while purporting to keep one's identity and location hidden.<p>Is Tinder still sending date of birth instead of a calculated age, like in the API example? It seems that no one there has given any thought at all to this topic other than to splash some water at the earlier fire. (IncludeSecurity, could you let us know whether Tinder is still sending the birth date data?)<p>I can understand that many people don't think through the consequences of sharing personal information, but it's hard to believe how many developers dealing with other people's information give it so little thought as well.
The biggest privacy vulnerability for dating services is a simple reverse image search. The majority of users use the same images for their dating service as they do for every other social network.<p>Once you've found their Twitter/Instagram/whatever, then you have a name. Now you have their Facebook profile.
If their fix uses random noise per api call they are again vulnerable (just take the average of the each result).<p>Also again reduced precision on the reported distance won't fix the issue, you can sweep the map for changes in the last digit (by changing the attackers reported position)<p>They must reduce the precision of the users input not the reported distances precision.<p>ps. the problem in here is the accuracy not the precision
Another enormous hole in app privacy is that mobile devices tend to store <i>location and compass bearing</i> in addition to handset model <i>in every photo taken with the camera</i>.<p>So if you run a web or mobile app, scrub these on receipt by re-rasterizing (load .jpg/png -> copy image data -> save to a new file) using something like ImageMagick.
How could you even prevent this vulnerability?<p>As long as the undocumented API is publicly accessible, and Tinder intends on reporting a users distance to each other (4.5 miles), it will always be possible to triangulate the position.<p>The only thing I can think of is to obfuscate the user ID in a way that you cant use the ID to guarantee a lookup of the same user.
Their "fix" will do nothing to prevent location information leaking. Making more accounts and getting more distances will increase the precision just as seeing more satellites increases GPS position. No matter how much noise they add, they will always be vulnerable to this attack in the same way with enough time, even the most subtle timing attack will be exploitable.<p>There is a way they can fix it properly though. What they need to do is report the actual position of the user, not the position relative to a position you give it. This may seem less secure but if it gave that latitude and longitude to within 3 miles, for example, it would be impossible to locate a user more precise than that.
"January 1st 2014 - We look at the server-side traffic to see if the same issue exists and see that the high precision data is no longer being returned by the server (awesome looks like a fix!)<p>"February 19th 2014 - As the issue does not seem to be reproducible and we have no updates from the vendor....blog post published."<p>So, this has been fixed now? The rest of the post wasn't very clear about that.
I was actually messing around with something similar (using only the radius information) a couple of weekends ago. In case anyone is curious. Node project just pushed to github:<p><a href="https://github.com/tmsh/guess-city-on-radius" rel="nofollow">https://github.com/tmsh/guess-city-on-radius</a>
So why again isn't this personal information transferred over HTTPS? Secure connections should be enabled by default for every webservice or API, ever. For starters.
I love that they published a "Vulnerability Disclosure Timeline" and waited for the company to patch the vulnerability before publishing this blog post.
Kudos to you for keeping this vulnerability secret and waiting for a fix. You've been waiting for a fix for almost three months, and without much of a response from the side of Tinder. And the latter I think is even more frustrating than the first.<p>Having been in a similar situation, I don't think I would have waited as long as you did.
I can't believe they don't do a simple fix that can be done in less than a minute. This is a serious information leaking issue. The time they spent on replying emails to the author are long enough for just get the fix done.