
How I was able to track the location of any Tinder user - rkudeshi
http://blog.includesecurity.com/2014/02/how-i-was-able-to-track-location-of-any.html
======
discostrings
It's a horrible shame that many developers don't think through the
consequences of their implementations before publishing services that trade in
personal information. The technique published in this disclosure, as well as
the fact that the service sent users' exact coordinates before July, should
have been some of the most obvious concerns in building a service that shares
one's picture while purporting to keep one's identity and location hidden.

Is Tinder still sending date of birth instead of a calculated age, like in the
API example? It seems that no one there has given any thought at all to this
topic other than to splash some water at the earlier fire. (IncludeSecurity,
could you let us know whether Tinder is still sending the birth date data?)

I can understand that many people don't think through the consequences of
sharing personal information, but it's hard to believe how many developers
dealing with other people's information give it so little thought as well.

~~~
auston
Maybe it was originally viewed through a performance perspective only, with
the idea that all of the data crunching should happen on the front end to
provide a faster server response?

~~~
jw2013
Just rounding a location integer can be done in less than 10 assembly
instructions. May be the time spent on that can well be compensated by
transferring less data (orginally we transfer a float now we only transfer an
integer).

Anyway, the point is processing this one sensetive information on server side
really take little time. Maybe only several nanoseconds? The network latency
is the botttleneck, not the proceesing of several bits of data.

------
herbig
The biggest privacy vulnerability for dating services is a simple reverse
image search. The majority of users use the same images for their dating
service as they do for every other social network.

Once you've found their Twitter/Instagram/whatever, then you have a name. Now
you have their Facebook profile.

~~~
glenda
Also, once a person gives you one bit of information it becomes infinitely
easier to find them.

Especially with the facebook graph search you can do something like: "women
who live near me named _____ who like _____ and graduated from ____." And then
you have their facebook profile...

I am still sort of shocked that facebook just allows anyone to do this.

~~~
lordCarbonFiber
To be fair, that is (was?) the entire point of facebook. Allowing people to
connect and answering the question "Remember that girl "Jane Doe" from
college, what is she up to?" was basically the killer feature.

~~~
herbig
That's a far cry from "show me all female friends of my friends near me who
are single and like the walking dead" or "all males in nyc who work at X
company and use tindr app".

Facebook gives zero privacy to anyone using it. If I walk into a coffee shop
and see someone interesting working there, I can just run a graph search and
page through the results until I have their entire life history online.

~~~
lucaspiller
Wow I didn't know you could search apps too, it appears you can see all apps
someone uses "Apps used by <name>". I guess that could avoid the awkward
moment on dates... "Hey do you like Candy Crush?"

~~~
mavus
Hence the 'See all friends using the Bang with Friends app' incident.

------
sumnulu
If their fix uses random noise per api call they are again vulnerable (just
take the average of the each result).

Also again reduced precision on the reported distance won't fix the issue, you
can sweep the map for changes in the last digit (by changing the attackers
reported position)

They must reduce the precision of the users input not the reported distances
precision.

ps. the problem in here is the accuracy not the precision

~~~
erichocean
_They must reduce the precision of the users input not the reported distances
precision._

That's an interesting idea: randomly perturbing a user's reported location.

I've been developing a social network app that, in v1 (development was
outsourced to someone else), sent the distance to a particular profile (I'm
not sure how accurately). In v2, I wasn't sure what to do so I've left it out,
but it's currently at number 3 on my TODO list.

In our case, it's pretty important to be able to do location sorting client
side. We have the geo extensions for SQLite and are intending on using that.

So, question: if I randomly perturbed user's locations reported to the server
by anywhere from 1-5 miles, would that be sufficient to ensure privacy, while
also enabling the app feature, which only needs precision at the level of a
few miles?

UPDATE: I thought about this some more, and what I'd do is the following:

1\. Take the location of the device and make it imprecise, but accurate. For
example, it could be anywhere within a five square mile radius, but it really
would be within that radius.

2\. On a per-user basis, pseudo-randomly but deterministically perturb the
imprecise location for that user, to generate the stored location.

The second requirement is to prevent averaging multiple location updates for
the same person over time, to pinpoint a location. Each user would have a
different random, but deterministic offset for each five square mile area on
the globe.

The perturbed location for that device in that area would be the same for
everyone, so you wouldn't be able to merge the output of multiple users "view"
of that device's location to increase accuracy, either.

I'd appreciate any and all feedback. Thanks.

~~~
jowiar
It really depends on what your trying to do - you might be overthinking it. I
think rounding all inputs to the nearest minute or two of latitude and
longitude is probably sufficient for most cases... Basically, treating the
world as a grid of some sort, and dealing in exact points at that level.

~~~
asmosoinio
This sounds like the correct, and simple, way to do it.

------
elwell
This is a really beautiful hack. Not just some SQL injection run-of-the-mill
vulnerability. Very clever.

~~~
IncludeSecurity
Thanks, these are the kind that we find every week. We also get bored of the
SQLi/XSS treadmill....it's much more fun to find a parsing error that leads to
a crypto vuln that bypasses authentication (hint hint for a future blog post)

------
midas007
Another enormous hole in app privacy is that mobile devices tend to store
_location and compass bearing_ in addition to handset model _in every photo
taken with the camera_.

So if you run a web or mobile app, scrub these on receipt by re-rasterizing
(load .jpg/png -> copy image data -> save to a new file) using something like
ImageMagick.

------
supercoder
Tinder should never known the users exact location anyway. They should be
asking the device for a far less accurate coordinate.

------
Skrypt
How could you even prevent this vulnerability?

As long as the undocumented API is publicly accessible, and Tinder intends on
reporting a users distance to each other (4.5 miles), it will always be
possible to triangulate the position.

The only thing I can think of is to obfuscate the user ID in a way that you
cant use the ID to guarantee a lookup of the same user.

~~~
1timecomment
Instead of having the client use the distance data to filter out people within
a certain radius, the server could do the filtering and send back the result.

Of course, you could probably do a lot of requests from different locations
and intersect the results to find a more accurate position of the target with
this fix too, though with some randomness to each request on the server side
it will probably make it not worthwhile.

------
doktrin
That's some good work. It's a pity Tinder barely acknowledged the assistance.

~~~
mLewisLogic
The lack of acknowledgement to the researcher is pretty shitty. I'd expect it
will really hurt Tinder's chance of their next vulnerability being responsibly
disclosed.

------
tyho
Their "fix" will do nothing to prevent location information leaking. Making
more accounts and getting more distances will increase the precision just as
seeing more satellites increases GPS position. No matter how much noise they
add, they will always be vulnerable to this attack in the same way with enough
time, even the most subtle timing attack will be exploitable.

There is a way they can fix it properly though. What they need to do is report
the actual position of the user, not the position relative to a position you
give it. This may seem less secure but if it gave that latitude and longitude
to within 3 miles, for example, it would be impossible to locate a user more
precise than that.

~~~
natdempk
Idea on top of this: allow a user to pick a landmark or location they want to
represent where they are like a university or park, so that its not their
actual location being given out, but rather something meaningful near where
they usually are from day-to-day.

~~~
bripeace
Yeah they should resolve the location to a geographical name. What value is
there in the distance then other than, oh I can walk over to your house for
casual sex instead of taking the bus. Oh I see...

------
dmur
"January 1st 2014 - We look at the server-side traffic to see if the same
issue exists and see that the high precision data is no longer being returned
by the server (awesome looks like a fix!)

"February 19th 2014 - As the issue does not seem to be reproducible and we
have no updates from the vendor....blog post published."

So, this has been fixed now? The rest of the post wasn't very clear about
that.

~~~
IncludeSecurity
sorry I added "which has since been fixed" to the first paragraph. We like to
write C and Ruby langs, still getting used to this English lang.

~~~
th0br0
s/seen/since/

~~~
IncludeSecurity
thnx _sigh_ words

------
tmsh
I was actually messing around with something similar (using only the radius
information) a couple of weekends ago. In case anyone is curious. Node project
just pushed to github:

[https://github.com/tmsh/guess-city-on-radius](https://github.com/tmsh/guess-
city-on-radius)

------
Cthulhu_
So why again isn't this personal information transferred over HTTPS? Secure
connections should be enabled by default for every webservice or API, ever.
For starters.

------
mikeleeorg
I love that they published a "Vulnerability Disclosure Timeline" and waited
for the company to patch the vulnerability before publishing this blog post.

------
Johnie
Just curious, would SSL have helped in this situation?

~~~
cooper12
No. SSL is security between a client and a server and the purpose of it is to
prevent people in between from touching your data. In this case they are not
intercepting any data, but using the iPhone API to get data that the iPhone
app receives anyway.

------
jvdh
Kudos to you for keeping this vulnerability secret and waiting for a fix.
You've been waiting for a fix for almost three months, and without much of a
response from the side of Tinder. And the latter I think is even more
frustrating than the first.

Having been in a similar situation, I don't think I would have waited as long
as you did.

------
jw2013
I can't believe they don't do a simple fix that can be done in less than a
minute. This is a serious information leaking issue. The time they spent on
replying emails to the author are long enough for just get the fix done.

------
foldor
Funny, I was just pondering if this would work yesterday. Glad to hear that
it's been mitigated to be less accurate.

------
Nicholas_C
I've always wondered if this could work, but I thought surely apps don't send
the exact coordinates of a user.

~~~
erichocean
[https://www.apple.com/apps/find-my-friends/](https://www.apple.com/apps/find-
my-friends/)

~~~
pugz
That's a bit different; the very purpose of Find My Friends is explicitly to
share your precise location with family/friends.

------
squigs25
Really interesting - this exploit could apply to any social app that tells you
the distance between you and another user

~~~
doktrin
Yes and no. The degree of precision matters a lot. "between 3-4 miles away"
isn't the same as "3.42123459921 miles away". In this case, the distance field
was encoded in a 64 bit double - which if fully utilized is a ridiculous
degree of unnecessary precision.

------
panzi
Yeah, deviantart had that problem at some point as well (if you gave
deviantart your position).

------
harlanlewis
To read, inspect <body> and disable {font-family: FontAwesome}.

~~~
IncludeSecurity
Hey Harlan, we think we fixed the FontAwesome problem, it was false
advertising...the font was not awesome at all, it broke our whole damn blog.

~~~
joekrill
It actually IS pretty awesome. You just generally don't want to apply it to
the body of your entire site!

------
erichocean
Anyone have a link to the previous vulnerability (from July 2013)?

------
koevet
Securing the channel with SSL should fix the issue, no?

~~~
jw2013
No, as long as they send precise distance radius info, a person's location can
easily be computed with very very small margin of error.

The easiest fix is just to send less precise location radius. The user does
not care whether another user is 6 miles or 6.0000000001 miles away from him
anyway.

~~~
wcoenen
That doesn't seem to fix anything. Suppose you round to miles. Now I just
sample the system until I find the "border" where the reported distance
changes from 1 to 2 mile, and then I know the distance is exactly 1.5 mile
there (or 2 miles if they round down).

Repeat for two more points and you have the same vulnerability.

~~~
saalweachter
Rounding should work if you round the coordinates instead of the distance.
Then you can at best calculate an approximate location very precisely.

