Last year, when it fixed a privacy vulnerability in its dating app, Tinder might have actually introduced a new bug that exposed the exact location of any user. The security hole has been fixed.
The old vulnerability, which enabled hackers to query the Tinder API and obtain the coordinates of any user, was addressed in July 2013. Later, in October 2013, researchers from Include Security identified and reported another security hole.
This flaw exposed the exact latitude and longitude of any user. Experts built an app, called TinderFinder (it’s not being made public), to obtain a target’s exact location by using triangulation.
Include Security says this vulnerability is not specific to Tinder, these types of issues being found in many mobile apps.
The flaw was fixed by Tinder sometime between December 2 and January 1. Tinder hasn’t been too keen on sharing fix details with the security researchers.
You can check out the video published by Include Security to see how this attack worked. Additional technical details are available on Include Security’s blog.