Tinder flaw may have exposed members' exact whereabouts for months

For much of 2013, the dating application was a little too forthcoming with users' locations, according to security researchers.

Jennifer Van Grove Former Senior Writer / News
Jennifer Van Grove covered the social beat for CNET. She loves Boo the dog, CrossFit, and eating vegan. Her jokes are often in poor taste, but her articles are not.
Jennifer Van Grove
2 min read
Tinder's office in West Hollywood. Jennifer Van Grove/CNET

Popular swipe-right-to-like dating app Tinder exposed members' most private information without their knowledge, according to security consulting firm Include Security.

The firm said Wednesday that Tinder's smartphone application had a vulnerability associated with its geolocation feature for most of 2013. The flaw, which was fixed earlier this year, allowed a Tinder user -- albeit a sophisticated one with programming skills and access to the app's API -- to get the exact latitude and longitude for another user.

Tinder did not immediately return a request for comment.

Launched in September 2012 out of media conglomerate IAC's Hatch Labs, Tinder is a mobile application for finding dates with the swipe of a finger. The app, which tells you how far away a potential date is located, has made more than 500 million matches.

Though the distance feature is convenient for those who want to find dates closer to home, Tinder was transmitting very precise geolocation information behind the scenes, Include Security said. That data could be triangulated to determine where a user is located, as demonstrated in the video below. And to prove just how easy it was to pinpoint a person, Include Security's researchers exploited the vulnerability and built their own private application called TinderFinder. The application could locate a person simply by inputting his or her Tinder identification number.

"Due to Tinder's architecture, it is not possible for one Tinder user to know if another took advantage of this vulnerability during the time of exposure," Include Security founder Erik Cabetas said in a statement. "The repercussions of a vulnerability of this type were pervasive given Tinder's massive global base of users."

Include Security reported the vulnerability to Tinder in October 2013. The firm said that the flaw had been fixed as of January 2014.