Grindr | News

Flaw In Grindr Infrastructure Allows For Spying On Exact Location, Profile Details: VIDEO

GrindrAn exploit recently discovered in the current generation of Grindr applications allows anyone with an internet connection and skill enough to query Grindr’s servers. Grindr, and applications like that, function using a cell phone’s geo-location information based on a combination of cell phone signal, proximity to wi-fi hot spots, and use of GPS tech. Generally, Grindr will provide users with a general idea of where they are in relation to one another denoted in a chosen unit of measurement.

When questioned about the security flaw, a Grindr representative claimed that the sharing of location data was a feature of the application, rather than a mistake. This particular bug, however functions somewhat differently than how the average Grindr user’s phone might.

By pinging Grindr’s servers for location requests linked to a particular Grindr user multiple times, it is possible to triangulate a person’s exact location with a degree of accuracy uncharacteristic of the application. In addition to detailed location information, it is possible to parse all of the information included on a Grindr user’s profile. All of this can be achieved without actually using Grindr from either a phone or a tablet, as explained by NDTV. The only protection that Grindr users have at their disposal currently is to completely disable any locational permissions given to the app, effectively crippling it.

According to NDTV, an anonymous samaritan has been using the flaw to let people using Grindr in countries known to be hostile towards gays know that their identities could, in theory, be compromised. As of the 19th, the hacktivist reported having contacted 100,000 Grindr users in over 70 countries with anti-gay laws in effect. Since then they’ve taken to posting warnings to a Twitter profile, YouTube Channel, and a Pastebin text page.

Watch a video demonstration explaining the security exploit, AFTER THE JUMP...

UPDATE: Grindr has reached out to us about this report, releasing the following statement:

"We don’t view this as a security flaw.  As part of the Grindr service, users rely on sharing location information with other users as core functionality of the application and Grindr users can control how this information is displayed. For Grindr users concerned about showing their proximity, we make it very easy for them to remove this option and we encourage them to disable ‘show distance’ in their privacy settings. As always, our user security is our top priority and we do our best to keep our Grindr community secure."

 

Feed This post's comment feed

Comments

  1. Pretty creepy. I wonder if the hacker is doing more harm than good by publicizing how easy it is to exploit the app?

    Posted by: JMC | Aug 26, 2014 6:55:16 PM


  2. Why worry? That just means one more new friend to "bond" with over your sexuality, right LITTLE KIWI? Invite them over for a game of scrabble and some milk and cookies and talk about this shared experience of being gay and you will have friends for life. After all, a stranger is just a friend you haven't met yet!

    Posted by: MATTROCKS | Aug 26, 2014 7:04:50 PM


  3. Sarcasm btw.

    Posted by: MATTROCKS | Aug 26, 2014 7:06:55 PM


  4. This has always been possible with Grindr. I tried the same thing years ago by capturing and modifying the communication between the app and Grindr's servers. You can also easily track individual people like your favorites that way. This is not a "flaw" in the security mechanisms of the app: There is NO security at all. They could make it harder by using some sort of encryption and I'm surprised that they didn't do that already.

    Regardless of what they do, if you really want to find out the approximate location of someone fairly close to you (let's say in the same city) you can always take a walk around the block, write down the distance to that user at three different points and then take a map and draw three circles around these points with a radius of the measured distance. Your circles will meet in one point and that's the location of the user. If someone's not as close this probably won't work because of the curvature of the earth. But for most cases it's surprisingly easy and accurate. Btw. this is called trilateration, not triangulation. There are even apps for that.

    Posted by: Sid | Aug 26, 2014 7:43:41 PM


  5. An easy fix for that would be if Grindr made the distance values really inaccurate in the app. Instead of giving an exact value they should at least round to about the next bigger multiple of 100 meters or so. Right now it's the other way around: If I recall correctly it's presently even possible to ask for super exact values when you intercept the communication between the app and the servers, much more precise than what the app tells you. They should probably get rid of that "feature" and they should really encrypt that invisible communication happening in the background.

    Posted by: Sid | Aug 26, 2014 7:55:29 PM


  6. Not a Grindr user, but it seems the smartest approach would be not to give a distance at all. Perhaps Grindr could simply specify that the object of one's interest was "within range" where the range is some fixed distance. Perhaps a mile? It would then be up to the two parties to settle on when and where to meet--if at all. Of course Grindr would have to secure its servers against external queries as well.

    Posted by: MajorTom | Aug 26, 2014 8:48:09 PM


  7. First, I'm not Rick. I don't know Rick, I don't care to know Rick. Although our ideologies might meet up on occasion, we aren't the same person.

    Second, initially I thought this wasn't q big deal, but assuming someone was dedicated to doing some damage, it could be huge upon further reflection. I know the general consensus is of a grindr whore, but no one deserves to get raped and deal with that.

    I dislike rape and hypocrisy.

    Posted by: Carmelo | Aug 26, 2014 8:52:35 PM


  8. Little kiwi, and the other names you post under... Come at me. Let's check ip's.I bet you and Tyler are the same. I always thought you were more than a touch daft. You've recently proved it.

    Posted by: Carmelo | Aug 26, 2014 9:00:50 PM


  9. Little kiwi, it's a shame you feel the need to be shady. Sometimes you have valid points, unfortunately, you're as honest as... I can't even think of anything as dishonest as you: and I deal with criminals all day. Maybe if you saw that your view is unpopular (and not without reason) you might be more honest. I don't know your real name, I don't care. I'd never release that. I think you're wrong and that you advocate rape.

    I don't think advocating rape is criminal, I do I think it's immoral. I think you're due for some serious self reflection: saying that a transgender is owed sex because of how they are is the same as saying someone is owed sex for being gay. Insane. That anyone is not attracted to them is a homophobe is stupid. Which you are.

    Transgenders. If someone doesn't want to have sex with them...guess what!? It's their prerogative! Saying no is not discrimination! It's them saying no! Coercing them into having sex with someone they don't want to is rape. You're probably a rapist!

    So please don't disparage me. I think you're an evil rapist by proxy.

    Posted by: Carmelo | Aug 26, 2014 9:26:26 PM


  10. Little kiwi, it's a shame you feel the need to be shady. Sometimes you have valid points, unfortunately, you're as honest as... I can't even think of anything as dishonest as you: and I deal with criminals all day. Maybe if you saw that your view is unpopular (and not without reason) you might be more honest. I don't know your real name, I don't care. I'd never release that. I think you're wrong and that you advocate rape.

    I don't think advocating rape is criminal, I do I think it's immoral. I think you're due for some serious self reflection: saying that a transgender is owed sex because of how they are is the same as saying someone is owed sex for being gay. Insane. That anyone is not attracted to them is a homophobe is stupid. Which you are.

    Transgenders. If someone doesn't want to have sex with them...guess what!? It's their prerogative! Saying no is not discrimination! It's them saying no! Coercing them into having sex with someone they don't want to is rape. You're probably a rapist!

    So please don't disparage me. I think you're an evil rapist by proxy.

    Posted by: Carmelo | Aug 26, 2014 9:26:28 PM


  11. Sid - Thanks for the insight.

    Posted by: Markt | Aug 26, 2014 9:46:31 PM


  12. Carmelo/Rick, we already know you're the same person. For like a month at least we've known this. We have multiple examples to prove this. So cut the BS.

    Kiwi and I continue to be two totally different people who live on opposite sides of the US. I'm sorry we troll hunt you. You are a troll after all.

    Posted by: Tyler | Aug 26, 2014 11:02:55 PM


  13. It's definitely irresponsible for Grindr to not be encrypting the data and verifying that the app is what is requesting the data.

    It's dumb that they're not using measures to detect abuse and cut off devices that appear to be triangulating or mining data in other ways.

    If they reduced the precision of the location gathering they'd also save significantly on battery life. Do you really need to know that someone is 100 meters away versus 10?

    Apple should probably add something to the guidelines that prohibit sharing of precise location to other users. "You are 10 meters from Starbucks" is a lot more proper than "You are 10 meters from Jimmy69."

    Posted by: Nick | Aug 26, 2014 11:14:22 PM


  14. How many different ways do these sex apps have to degrade, abuse, exploit and endanger us before we wake up and realize that this is not a good thing to have in our lives?

    Yes, I know there are instances here and there where someone met a friend or someone had a hookup that turned into something more. There are also cases where people meet friends and future spouses at the scene of some natural disaster. There are also cases where crack cocaine really helps someone get through the day with no downside. But we don't go looking to pay a subscription to put more disasters and crack in our lives on the assumption that the good balances out the bad.

    Let's respect ourselves and say goodbye to all of these exploitative hookup apps.

    Posted by: Donovan | Aug 26, 2014 11:54:48 PM


  15. TYLER- if you were half as smart as you think you are you'd stop being so sure of yourself. Carmelo is not Rick. Stop digging yourself deeper. Give it up. You're a self-inflated and clueless fool, paranoid as well.

    Posted by: UFFDA | Aug 27, 2014 12:22:37 AM


  16. Rick, if you're going to come to your own defense, it'd be wise not to use an alias most people already readily know is you (hey, Uffda!).

    Posted by: Tyler | Aug 27, 2014 1:53:23 AM


  17. @Sid: what happens with your algorithm when the
    person you are tracking is also walking around as he is as mobile as you are?

    The algorithm you suggest only works if the guy doesn't move while you take the measurements.

    BTW, SSL encryption is expensive computationally. That's probably the real reason grindr is not using it. Remember that you have to encrypt for each user - if all have a shared key, someone snooping will be able to get the key too.

    Posted by: Bill | Aug 27, 2014 2:08:29 AM


  18. where is the chill tho? little kiwi always has all of you so bothered it's so pathetic. what even set off this nonsense this time?

    Posted by: JMC | Aug 27, 2014 3:41:10 AM


  19. @bill: You just have to be quick. This web site is doing the same thing, only faster because you can instantly change your location in the request to the server. I'm not sure how often Grindr actually refreshes a user's location. It does so when you quit and restart the app. That's how you are taking the measurements. If you have the app on screen and you are running around it probably won't update your location with every step. I think someone trying to find out where you are would still get a valid location in most cases, but maybe you wouldn't be in that place anymore. Same thing as if you just turned off the app and walked away from the place you just were at. Thankfully this will always be an option. :-)

    Posted by: Sid | Aug 27, 2014 3:58:42 AM


  20. I clicked on this post to say the same thing, Sid. I've used a trilateration app with Grindr and Scruff for shits and giggles. When used with a GPS ghosting app, it is pretty easy to get a location within a block or so. Even without the apps, a quick walk around the block will do the same thing. This has always been a part of GPS apps in general. Pointing out this flaw now is as useful as closing the barn door after the cows are out.

    Posted by: lessthan | Aug 27, 2014 5:50:04 AM


  21. My attitude is that if you are a user of an application in "the cloud" (a stupid metaphor for thousands of server farms), and you have signed up, then you get what you get. If you don't want to be geo-located, don't use the application. Don't whine about features when your signed up to meet guys and maybe have sex and they have done the same thing. You fling your privacy to "the cloud". Or not.

    Posted by: BrokebackBob | Aug 27, 2014 7:48:37 AM


  22. We really can't be that surprised can we? Your phone is a tracking device. Period.

    Posted by: Ted | Aug 27, 2014 9:39:47 AM


  23. Anyone who goes to the extent of using a "trilateration" app to locate someone specifically is just downright creepy. Or needs a better hobby.

    Posted by: Sean Maloney | Aug 27, 2014 9:54:56 AM


  24. So you mean the identities of all of those headless torsos could be exposed??? Oh, the humanity!!!!

    Posted by: David | Aug 27, 2014 1:25:19 PM


  25. @Sid: it means your algorithm is not reliable. You can't say "be quick" when the party you are trying to track is moving around as fast as you are.

    The point of sending modified requests to the server is presumably to get responses before the person being tracked can move more than a trivial distance. To get a similar effect, you would have to have several accomplices who would all get a measurement at the same time but form different locations.

    Posted by: Bill | Aug 27, 2014 2:13:57 PM


  26. 1 2 »

Post a comment







Trending


« «Joe Hanson Reveals The Most Annoying (And Deadliest) Animal On Earth: VIDEO« «