Belgian security researchers have uncovered a disturbing trend in the world of dating apps, revealing that users’ sensitive data and even their exact locations could be at risk of exposure. Karel Dhondt and Victor Le Pochat from KU Leuven analyzed 15 location-based dating apps and found that all of them leaked some form of sensitive user data beyond what users willingly share on their profiles.
The type of data leaked by these apps falls under the category of “sensitive” as defined by the General Data Protection Regulation (GDPR) of the European Union. This includes information such as ethnic origin, political opinions, sexual orientation, gender, and health details. The researchers were particularly interested in understanding the risks associated with malicious actors gaining access to this data and potentially using it in harmful ways.
Among the popular dating apps scrutinized were global platforms like Tinder, Bumble, Grindr, Badoo, OKCupid, MeetMe, and Hinge, as well as regional favorites such as TanTan in Asia and Meetic in Europe. The researchers found vulnerabilities in all of these apps that could expose users to privacy risks and compromise their safety.
Le Pochat emphasized that accessing user data from these apps did not involve hacking the servers but rather exploiting the traffic flow of data in and out of the apps. This method allowed the researchers to pinpoint the exact physical locations of some users, posing a serious threat to their privacy and security.
The use of trilateration, a technique similar to how GPS satellites determine locations, enabled the researchers to accurately locate app users by creating intersecting circles based on the known distances between them and the victim. This method revealed alarming vulnerabilities in apps like Grindr, where even users who had hidden their distance information were susceptible to precise location tracking.
The researchers plan to present their findings in a paper titled “Swipe Left for Identity Theft: An Analysis of User Data Privacy Risks on Location-based Dating Apps” at the upcoming Black Hat USA 2024 conference. This research builds upon previous work by Dhondt and Le Pochat, who have previously highlighted privacy risks in fitness apps that leak sensitive location information.
The implications of these findings are significant, especially considering the emotional and personal nature of interactions on dating apps. Dhondt stressed the importance of maintaining privacy and safety on these platforms to prevent potential threats or harm to users.
While the researchers have notified companies about vulnerabilities in their apps and some fixes have been implemented, there are still concerns about data leaks due to companies attributing them to “intended behavior.” This raises questions about the security practices of dating apps and the potential risks users face when sharing personal information.
In conclusion, users of dating apps are advised to be cautious about the information they share and to be aware of the privacy risks associated with these platforms. By being vigilant and mindful of the data they disclose, users can reduce the likelihood of falling victim to malicious actors seeking to exploit vulnerabilities in these apps.