Tinder Fails For Months To Inform Public Of Security Flaw That Reveals Users’ Exact Location

tinderflawoctUPDATE Feb. 20: Tinder sent Consumerist the following statement the day after this story originally ran. It’s from CEO and founder Sean Rad.

The statement doesn’t explain the answer to the question of why Tinder failed to inform its users or the general public at large about the security flaw, but here’s what we’ve got:

Include Security identified a technical exploit that theoretically could have led to the calculation of a user’s last known location. Shortly after being contacted, Tinder implemented specific measures to enhance location security and further obscure location data. We did not respond to further inquiries about the specific security remedies and enhancements taken as we typically do not share the specifics of Tinder’s security measures. We are not aware of anyone else attempting to use this technique. Our users’ privacy and security continue to be our highest priority.

—————————-ORIGINAL STORY BELOW——————-

The fun part about popular dating app Tinder is that you can effectively move through a virtual word of potential dates and mates, all from the safety of your own real world location. Except that a new report from security researchers says a flaw in the app exposed users’ exact locations for months — with mileage specific down to 15 decimal places — and that Tinder never told the public about it.

The flaw is now being aired by a security company known as a “white-hat” hacking group, which hunts down problematic code on popular sites, apps and software and then gives companies a chance to fix the issues before going public with it, reports BusinessWeek.

Include Security says it first alerted Tinder to the flaw — which had servers spewing out detailed information that could allow a hacker with any kind of skills to pinpoint someone within 100 feet — all the way back on Oct. 23, 2013. Tinder didn’t issue a peep about it in any meaningful way until Dec. 2, Include says, which is when a Tinder employee asked for more time to fix the problem. The hole was finally patched sometime before Jan. 1, 2014.

With such a breach wide open for anywhere between 40 and 165 days, one might think Tinder would have something to say to its users. Instead, Chief Executive Officer Sean Rad has stayed mum on the issue, and was less than helpful to the researcher who identified the flaw, he says.

“I wouldn’t say they were extremely cooperative,” he says of the patchy correspondence with Rad and Tinder.

You might recall a similar episode back in July, when the app revealed users’ exact latitude and longitude for at least two weeks, a time span Rad called “a few hours” back then.

We’ve reached out to Tinder for comment on the situation and will let you know if we hear back. In the meantime, it sounds like users’ locations are secure, that is, unless there’s something else going on that Tinder will decide not to alert the public about in a timely manner.

Otherwise there will likely be plenty of users swiping Tinder itself to the left, and into the “NOPE” bin.

“We want technology companies to remember that as they’re moving a million miles an hour to innovate, they need to consider security and privacy as part of the value proposition they’re selling their customers,” the Include security reacher adds. “Consumers tend to avoid use of applications, cloud services, or websites that severely encroach on their privacy.”

New Tinder Security Flaw Exposed Users’ Exact Locations for Months [BusinessWeek]