Earlier this year, researchers revealed a security flaw that exposed the location and HIV status of users of the homodating application Grindr. Subsequently, a new report has shown that the app still exposes the precise location of each user because it does not block third party access to the private API.
The publication shows that Grindr has been exposing the location of users for several years, but the most serious of these is that the developer knows the error and no additional measures have been taken to resolve it.
So far, the application averages at least 10 million downloads and its services range from a free subscription or even pay if you want to access more features. However, the report revealed Queer Europe ensures that a technique called trilateration is used to expose the users' location, with which users know with some precision how far they are from other users.
Applications designed to locate Grindr users are publicly available online and give everyone access to a virtual map where you can travel from city to city and country to country, while simultaneously seeing the exact location of cruises that distance them online parts. pic.twitter.com/0IumD6laAE
– Queer Europe 🏳️🌈 (@QueerEurope) September 13, 2018
BuzzFeed revealed that a tool was created using this technique called Fuckr, whose open source is available in Github, which generated a large number of bifurcations that later resulted in the exposure of private data of users.
The fact that Grindr lets you know how far you are from another user makes it very easy to use this data from nearby locations for malicious purposes. For example, the Grindr API is able to allow unofficial apps such as Fuckr to execute at least 600 API requests per second, quickly revealing the locations of a large number of users.
In addition to this error, however, this API offers the possibility to access the database of the application and to access a large amount of user data. The recommendation of Queer Europe for Grindr it is the default option that allows users to know external locations, while the company is called to be more transparent with regard to the way in which third parties access and process data from their application remotely.