Tinder, a mobile dating app, has turned Sochi into the Winter Dating Games, suggests the Daily Mail. Tinder works by introducing people looking for a date by using geolocation to detect potential couples in reasonable proximity to each other. Each person sees a photo of the other. Swiping left tells the system you are not interested, but swiping right connects the parties to a private chatroom. Its use, according to the Mail report, is widespread among athletes in Sochi.
However, it was only within the last couple of months that a serious flaw, which could have had dire consequences in security-conscious Sochi, was fixed by Tinder. The flaw was discovered by Include Security in October 2013. Include's policy is to give developers three months to fix vulnerabilities before going public. It has confirmed that the flaw has been fixed, and now it has gone public.
The flaw was based on the distance information provided by Tinder in its API – a 64-bit double field called distance_mi. "That's a lot of precision that we're getting, and it's enough to do really accurate triangulation!" Triangulation is the process used in finding a precise position where three separate distances cross (Include Security notes that it's more accurately 'trilateration;' but commonly understood as triangulation); and in Tinder's case it was accurate to within 100 yards.
"I can create a profile on Tinder," wrote Include researcher Max Veytsman, "use the API to tell Tinder that I'm at some arbitrary location, and query the API to find a distance to a user. When I know the city my target lives in, I create 3 fake accounts on Tinder. I then tell the Tinder API that I am at three locations around where I guess my target is."
Using a specially developed app, which it calls TinderFinder but won't be making public, to show off the flaw, the three distances are then overlaid on a standard map system, and the target is located where all three intersect. It is without any question a serious privacy vulnerability that would allow a Tinder user to physically locate someone who has just 'swiped left' to reject any further contact – or indeed an athlete in the streets of Sochi.
The basic problem, says Veytsman, is commonplace "in the mobile app space and [will] continue to remain common if developers don't handle location information more sensitively." This particular flaw came through Tinder not adequately fixing a similar flaw in July 2013. At that time it gave out the precise longitude and latitude position of the 'target.' But in fixing that, it merely substituted the precise location for a precise distance – allowing Include Security to develop an app that automatically triangulated a very, very close position.
Include's recommendation would be for developers "to never deal with high resolution measurements of distance or location in any sense on the client-side. These calculations should be done on the server-side to avoid the possibility of the client applications intercepting the positional information." Veytsman believes the issue was fixed some time in December 2013 simply because TinderFinder no longer works.
A disturbing feature of the episode is the almost total lack of cooperation from Tinder. A disclosure timeline shows just three responses from the company to Include Security's bug disclosure: an acknowledgment, a request for more time, and a promise to get back to Include (which it never did). There is no mention of the flaw and its fix on Tinder's website, and its CEO Sean Rad did not respond to a phone call or e-mail from Bloomberg seeking comment. “I wouldn’t say they were extremely cooperative,” Erik Cabetas, Include’s founder told Bloomberg.