Flaw In Grindr Infrastructure Allows For Spying On Exact Location, Profile Details: VIDEO

GrindrAn exploit recently discovered in the current generation of Grindr applications allows anyone with an internet connection and skill enough to query Grindr’s servers. Grindr, and applications like that, function using a cell phone’s geo-location information based on a combination of cell phone signal, proximity to wi-fi hot spots, and use of GPS tech. Generally, Grindr will provide users with a general idea of where they are in relation to one another denoted in a chosen unit of measurement.

When questioned about the security flaw, a Grindr representative claimed that the sharing of location data was a feature of the application, rather than a mistake. This particular bug, however functions somewhat differently than how the average Grindr user’s phone might.

By pinging Grindr’s servers for location requests linked to a particular Grindr user multiple times, it is possible to triangulate a person’s exact location with a degree of accuracy uncharacteristic of the application. In addition to detailed location information, it is possible to parse all of the information included on a Grindr user’s profile. All of this can be achieved without actually using Grindr from either a phone or a tablet, as explained by NDTV. The only protection that Grindr users have at their disposal currently is to completely disable any locational permissions given to the app, effectively crippling it.

According to NDTV, an anonymous samaritan has been using the flaw to let people using Grindr in countries known to be hostile towards gays know that their identities could, in theory, be compromised. As of the 19th, the hacktivist reported having contacted 100,000 Grindr users in over 70 countries with anti-gay laws in effect. Since then they’ve taken to posting warnings to a Twitter profile, YouTube Channel, and a Pastebin text page.

Watch a video demonstration explaining the security exploit, AFTER THE JUMP…

UPDATE: Grindr has reached out to us about this report, releasing the following statement:

"We don’t view this as a security flaw.  As part of the Grindr service, users rely on sharing location information with other users as core functionality of the application and Grindr users can control how this information is displayed. For Grindr users concerned about showing their proximity, we make it very easy for them to remove this option and we encourage them to disable ‘show distance’ in their privacy settings. As always, our user security is our top priority and we do our best to keep our Grindr community secure."

 

Comments

  1. MATTROCKS says

    Why worry? That just means one more new friend to “bond” with over your sexuality, right LITTLE KIWI? Invite them over for a game of scrabble and some milk and cookies and talk about this shared experience of being gay and you will have friends for life. After all, a stranger is just a friend you haven’t met yet!

  2. Sid says

    This has always been possible with Grindr. I tried the same thing years ago by capturing and modifying the communication between the app and Grindr’s servers. You can also easily track individual people like your favorites that way. This is not a “flaw” in the security mechanisms of the app: There is NO security at all. They could make it harder by using some sort of encryption and I’m surprised that they didn’t do that already.

    Regardless of what they do, if you really want to find out the approximate location of someone fairly close to you (let’s say in the same city) you can always take a walk around the block, write down the distance to that user at three different points and then take a map and draw three circles around these points with a radius of the measured distance. Your circles will meet in one point and that’s the location of the user. If someone’s not as close this probably won’t work because of the curvature of the earth. But for most cases it’s surprisingly easy and accurate. Btw. this is called trilateration, not triangulation. There are even apps for that.

  3. Sid says

    An easy fix for that would be if Grindr made the distance values really inaccurate in the app. Instead of giving an exact value they should at least round to about the next bigger multiple of 100 meters or so. Right now it’s the other way around: If I recall correctly it’s presently even possible to ask for super exact values when you intercept the communication between the app and the servers, much more precise than what the app tells you. They should probably get rid of that “feature” and they should really encrypt that invisible communication happening in the background.

  4. MajorTom says

    Not a Grindr user, but it seems the smartest approach would be not to give a distance at all. Perhaps Grindr could simply specify that the object of one’s interest was “within range” where the range is some fixed distance. Perhaps a mile? It would then be up to the two parties to settle on when and where to meet–if at all. Of course Grindr would have to secure its servers against external queries as well.

  5. Carmelo says

    First, I’m not Rick. I don’t know Rick, I don’t care to know Rick. Although our ideologies might meet up on occasion, we aren’t the same person.

    Second, initially I thought this wasn’t q big deal, but assuming someone was dedicated to doing some damage, it could be huge upon further reflection. I know the general consensus is of a grindr whore, but no one deserves to get raped and deal with that.

    I dislike rape and hypocrisy.

  6. Carmelo says

    Little kiwi, and the other names you post under… Come at me. Let’s check ip’s.I bet you and Tyler are the same. I always thought you were more than a touch daft. You’ve recently proved it.

  7. Carmelo says

    Little kiwi, it’s a shame you feel the need to be shady. Sometimes you have valid points, unfortunately, you’re as honest as… I can’t even think of anything as dishonest as you: and I deal with criminals all day. Maybe if you saw that your view is unpopular (and not without reason) you might be more honest. I don’t know your real name, I don’t care. I’d never release that. I think you’re wrong and that you advocate rape.

    I don’t think advocating rape is criminal, I do I think it’s immoral. I think you’re due for some serious self reflection: saying that a transgender is owed sex because of how they are is the same as saying someone is owed sex for being gay. Insane. That anyone is not attracted to them is a homophobe is stupid. Which you are.

    Transgenders. If someone doesn’t want to have sex with them…guess what!? It’s their prerogative! Saying no is not discrimination! It’s them saying no! Coercing them into having sex with someone they don’t want to is rape. You’re probably a rapist!

    So please don’t disparage me. I think you’re an evil rapist by proxy.

  8. Carmelo says

    Little kiwi, it’s a shame you feel the need to be shady. Sometimes you have valid points, unfortunately, you’re as honest as… I can’t even think of anything as dishonest as you: and I deal with criminals all day. Maybe if you saw that your view is unpopular (and not without reason) you might be more honest. I don’t know your real name, I don’t care. I’d never release that. I think you’re wrong and that you advocate rape.

    I don’t think advocating rape is criminal, I do I think it’s immoral. I think you’re due for some serious self reflection: saying that a transgender is owed sex because of how they are is the same as saying someone is owed sex for being gay. Insane. That anyone is not attracted to them is a homophobe is stupid. Which you are.

    Transgenders. If someone doesn’t want to have sex with them…guess what!? It’s their prerogative! Saying no is not discrimination! It’s them saying no! Coercing them into having sex with someone they don’t want to is rape. You’re probably a rapist!

    So please don’t disparage me. I think you’re an evil rapist by proxy.

  9. Tyler says

    Carmelo/Rick, we already know you’re the same person. For like a month at least we’ve known this. We have multiple examples to prove this. So cut the BS.

    Kiwi and I continue to be two totally different people who live on opposite sides of the US. I’m sorry we troll hunt you. You are a troll after all.

  10. Nick says

    It’s definitely irresponsible for Grindr to not be encrypting the data and verifying that the app is what is requesting the data.

    It’s dumb that they’re not using measures to detect abuse and cut off devices that appear to be triangulating or mining data in other ways.

    If they reduced the precision of the location gathering they’d also save significantly on battery life. Do you really need to know that someone is 100 meters away versus 10?

    Apple should probably add something to the guidelines that prohibit sharing of precise location to other users. “You are 10 meters from Starbucks” is a lot more proper than “You are 10 meters from Jimmy69.”

  11. Donovan says

    How many different ways do these sex apps have to degrade, abuse, exploit and endanger us before we wake up and realize that this is not a good thing to have in our lives?

    Yes, I know there are instances here and there where someone met a friend or someone had a hookup that turned into something more. There are also cases where people meet friends and future spouses at the scene of some natural disaster. There are also cases where crack cocaine really helps someone get through the day with no downside. But we don’t go looking to pay a subscription to put more disasters and crack in our lives on the assumption that the good balances out the bad.

    Let’s respect ourselves and say goodbye to all of these exploitative hookup apps.

  12. UFFDA says

    TYLER- if you were half as smart as you think you are you’d stop being so sure of yourself. Carmelo is not Rick. Stop digging yourself deeper. Give it up. You’re a self-inflated and clueless fool, paranoid as well.

  13. Bill says

    @Sid: what happens with your algorithm when the
    person you are tracking is also walking around as he is as mobile as you are?

    The algorithm you suggest only works if the guy doesn’t move while you take the measurements.

    BTW, SSL encryption is expensive computationally. That’s probably the real reason grindr is not using it. Remember that you have to encrypt for each user – if all have a shared key, someone snooping will be able to get the key too.

  14. Sid says

    @bill: You just have to be quick. This web site is doing the same thing, only faster because you can instantly change your location in the request to the server. I’m not sure how often Grindr actually refreshes a user’s location. It does so when you quit and restart the app. That’s how you are taking the measurements. If you have the app on screen and you are running around it probably won’t update your location with every step. I think someone trying to find out where you are would still get a valid location in most cases, but maybe you wouldn’t be in that place anymore. Same thing as if you just turned off the app and walked away from the place you just were at. Thankfully this will always be an option. :-)

  15. lessthan says

    I clicked on this post to say the same thing, Sid. I’ve used a trilateration app with Grindr and Scruff for shits and giggles. When used with a GPS ghosting app, it is pretty easy to get a location within a block or so. Even without the apps, a quick walk around the block will do the same thing. This has always been a part of GPS apps in general. Pointing out this flaw now is as useful as closing the barn door after the cows are out.

  16. BrokebackBob says

    My attitude is that if you are a user of an application in “the cloud” (a stupid metaphor for thousands of server farms), and you have signed up, then you get what you get. If you don’t want to be geo-located, don’t use the application. Don’t whine about features when your signed up to meet guys and maybe have sex and they have done the same thing. You fling your privacy to “the cloud”. Or not.

  17. Sean Maloney says

    Anyone who goes to the extent of using a “trilateration” app to locate someone specifically is just downright creepy. Or needs a better hobby.

  18. Bill says

    @Sid: it means your algorithm is not reliable. You can’t say “be quick” when the party you are trying to track is moving around as fast as you are.

    The point of sending modified requests to the server is presumably to get responses before the person being tracked can move more than a trivial distance. To get a similar effect, you would have to have several accomplices who would all get a measurement at the same time but form different locations.

  19. Bill says

    @Sid : to show how bad your algorithm can be, Draw a circle of radius R, move a distance R/10, and draw another circles of radius R, the case you’d get if your target moved R/10 in the same direction you did. The possible locations where these two circles intersect will be in a direction 87.13 degrees from the line that both of you followed.

    The servers get updates every so often, and they probably set up the cellphone app to report positions to the server when someone moved, and much less frequently if sitting in one spot. The idea is to get a reasonable tradeoff between accuracy and server load. The phone may also estimate your speed and direction, and send that to the server as well, but not report that information to users sending requests for people in a specific area.

  20. GregV says

    I just got a warning message from a distance on the other side of the globe saying that “someone has located you” using Grindr.gay.cat
    On the one hand it seems a little intrusive. On the other hand, I’m not sure that I care whether someone might have been able to figure out where I was buying a coffee at that moment. (Anybody in the coffee shop could have figured thst out by seeing me with their eyes.)

  21. Capt Eric says

    I just don’t understand. We use the app to pinpoint our position. Now someone says they found a different way to pinpoint our position and that is bad. The app is just that to see who is around you potentially. Makes for great BBQs at the sand bar. It’s not like we don’t know that. It’s not like we are not warned when we use the app. Same day this happened I found Scruff a new app to me but it shows my location. For my protection I DON’T USE FACE BOOK or Linkedin or any other social media used for tracking people nowadays. Give us a break and put the distance back on the app. It’s no fun without it.

Leave A Reply