3 min Security

No match, but still access to the data: dating apps spill personal data

Danger of stalking

No match, but still access to the data: dating apps spill personal data

Belgian researchers have found significant vulnerabilities in dating apps. It turns out that personal data is poorly secured in fifteen popular apps.

It is very easy to steal sensitive data from users of fifteen popular dating apps, including Tinder, Badoo, Grindr, OKCupid, MeetMe, Hinge, Happn, Hilly, and Bumble. The vulnerabilities make it easy to obtain users’ exact locations and personal data. Among other things, it would be possible to find out users’ gender and sexual orientation.

The researchers from the DistriNet research group, part of the Belgian university KU Leuven, analyzed three categories of data: personal data, sensitive data, and usage data. Some of this data users must enter and share in order to use the dating app’s services.

Intercepting data traffic

Due to poor security, third parties can easily access the data. To do this, the researchers only had to look into what information the apps get from the servers via the API. That way, the researchers gained access to data from other users of the dating apps. They also found that it was possible to get additional data by tinkering with the data traffic.

In all 15 apps, it was possible to intercept personal and sensitive data from other users. This included information such as age, place of residence, phone number, political affiliation, religion, and sexual orientation.

In six of the apps, the researchers were also able to find a user’s exact location. Three of these apps are Bumble, Grindr, and Hinge. To do this, the researchers used the method “Oracle trilateration.” This primarily relies on the rough estimate of a user’s location, based on which the profiles of potential matches are loaded. By then moving in three different directions until the profile was out of range, the researchers could determine the user’s location to within two meters.

The more data, the more vulnerabilities

Overall, the DistriNet researchers decided that the number of input fields could determine the degree of app security. The principle holds that the more information requested about a user, the greater the risk of security leaks.

“The risks are clear,” said co-researcher Victor Le Pochat. “The personal and sensitive data that we were able to expose through simple means is golden for people with bad intentions, who can be either acquaintances near you or complete strangers. Releasing personal data makes users vulnerable to online manipulation via phishing or identity theft. When you combine that with sensitive data such as sexual orientation and a person’s location, it can lead to physical danger, such as stalking or assault, or even government prosecution.”

Developer recommendations

The researchers offered four more recommendations for developers of dating apps to improve security:

  1. Give users control over what data they share and with whom so they can make their own privacy decisions.
  2. Prevent data breaches by better-protecting APIs to prevent unintended sharing of sensitive data.
  3. Limit data collection (data minimization) to the bare essentials for the app to work correctly, reducing the risk of data breaches.
  4. Think beyond the typical hacker: Even unsophisticated attackers can exploit subtle flaws in apps without breaking into servers.

Also read: Huge database of sensitive info exposed to the internet