Tracking Guys Via Grindr Is Really Easy, And Grindr Doesn't Seem To Care

[Steven_Draker]

http://i.kinja-img.com/gawker-media/image/upload/s--sjFaHGC6--/c_fit,fl_progressive,q_80,w_636/k9u0lgn6yja01jnz72l1.jpg

 

For over a year now, gay hook up app Grindr has had a serious security flaw which allows users to be tracked very closely, and Grindr's response has been tepid at best. Some countries were only blocked after the security flaw was discovered and some reported that Grindr was being used for tracking by Egyptian police and at the Russian Olympics in Sochi.

 

From a technical standpoint, finding someone's precise location from their Grindr profile is deceptively easy. Based on your current location, Grindr tells you the location of other users in the area, with a level of precision down to the meter. On its own, that's not exactly useful: if you're in a city, there's quite a lot of people within 6452 yards of you.

 

The problem with Grindr, however, is that through some incredibly basic spoofing (it doesn't even warrant being called a 'hack'), users can trick Grindr into thinking they're somewhere that they're not. If someone does this a few times in quick succession, they'll get the distance of each individual user from three different points. The result, as you can see from the high-school geometry below, is that individual Grindr users can be very precisely located:

 

Tracking Guys Via Grindr Is Really Easy, And Grindr Doesn't Seem To Care

 

It should be clear, then, that is is a fairly major security flaw that should have Grindr's executive team running worried. Except that doesn't appear to be happening. Grindr has been contacted by various media outlets, but they reportedly refused to make any additional comments outside of blog posts on their website here and here, and when we asked our contact at the app for a comment about the privacy issues, we received a rather dull and meaningless piece of PR spin that "may be attributed to Grindr."

 

We are continuing to evaluate user feedback on this core functionality of the application. We will continue to evolve and improve the operation of the application based on considerations of security and functionality and provide our users the tools and information they need to make informed decisions about the use of the Grindr application. Grindr encourages any user who has a concern about his location privacy to disable the sharing of his distance in Grindr settings.

That's a cop out, because not only are those blog posts four months old, but the security researcher that found the flaw did so in March of last year, and to date, Grindr hasn't addressed the problem. Grindr has disabled location sharing for countries they deem to have "a history of violence against the gay community," including Russia, Egypt and Iran, and loads of other places with anti-gay laws. Whilst that's certainly a step in the right direction, it's a poor Band-Aid on a problem that never should have existed, as it really doesn't even solve the issue at hand, according to Ars Technica.

 

The changes did nothing to prevent the Synack researchers from setting up a free account and tracking the detailed movements of several fellow users who volunteered to participate in the experiment.

Colby Moore, the researcher who uncovered the initial flaw, provided a list of simple behind-the-scenes fixes that Grindr could make, which would make precise location tracking like this impossible. Preventing numerous, fast location changes (like jumping from the US to Egypt and back in seconds) would be one of them.

 

The biggest thing is don't allow vast distance changes repeatedly. If I say I'm five miles here, five miles there within a matter of 10 seconds, you know something is false. There are a lot of things you can do that are easy on the backside.

Adding 'rounding error' into the location, so that not even Grindr's servers know the actual location of users, would be even better:

 

You just introduce some rounding error into a lot of these things. A user will report their coordinates, and on the backend side Grindr can introduce a slight falsehood into the reading.

But as it currently stands, anyone with the ability to Google (and a teaspoon of computing nous) is able to track Grindr users in the US (and almost any other country in the world). The privacy and personal security implications should be obvious, and terrifying — everything from physical harm downwards is made exponentially easy when you have a map telling you the location of gay men in real time.

 

What makes this even more insidious is that many users don't even realise how deep the exploit exposes them. There are some gay men who believe that disabling location on their phone will prevent the exploit from working: it doesn't. It may hide it from being seen by the Grindr user, but it doesn't stop others from accessing the data, and users like Matt Midgett in Japan (a very safe country for LGBT folks, or for anyone, in general) are unaware of it.

 

The location tracking isn't really that reliable, even if they're using those numbers, that's a setting that you can hide so it isn't displayed, and it only updates when I'm on Grindr, which means I'm aware of when it's tracking me and usually I'm in a situation where I more or less don't mind.

Except, of course, it is that reliable. It just may not appear to be that reliable. And even in countries where, overall, the population is tolerant of the gay community, there are always exceptions. Some are violent bigots, some are criminals, and some are mentally ill. Reports here on ROYGBIV show the frequency of attacks on LGBT individuals. Some of them end in murder. And these occur in the countries Grindr hasn't sought to block: including Japan and the United States.

 

In fairness to Grindr, there will always be privacy issues with apps that share user locations with other users. As Moore said, "If an app shares *any* information about your location (whether it's relative distance, coordinates, estimation of location, etc.), there is always a way to locate someone. The only variable is to what precision and with what speed."

 

What makes Grindr's flaw so bad is the simplicity — it's the tech equivalent to leaving your keys on the front tire and hoping no-one bothers to look — combined with the lack of action. Rather than rushing to address a crucial security flaw, one that help paint a literal target on members of an at-risk community, Grindr has continued to rely on bad patches and PR spin.

 

source: http://roygbiv.jezebel.com/tracking-guys-via-grindr-is-really-easy-and-grindr-doe-1681615224

[+ FreshFluff]

Very interesting article.

 

In fairness to Grindr, there will always be privacy issues with apps that share user locations with other users. As Moore said, "If an app shares *any* information about your location (whether it's relative distance, coordinates, estimation of location, etc.), there is always a way to locate someone. The only variable is to what precision and with what speed."

 

Yep, but as the article goes on to imply, but without that precision and speed, it would not be cost-effective for hostile governments to track large groups of people.

[+ VeryHappyCustomer]

... as the article goes on to imply, but without that precision and speed, it would not be cost-effective for hostile governments to track large groups of people.

 

The cost for this merely curious individual to build a real time map of grindr users in Phoenix came to six hours of labor plus about $30 for coffee and snacks at the Starbucks that supplied the Internet connection. I did all the work on a MacBook Pro. The technology and required expertise are common and readily available.

[maninsoma]

It sounds like Grindr must have much more accurate location detection than Adam4Adam. There's someone who lives in my building on Adam4Adam and while it typically displays the same approximate distance from me, that approximate distance is fairly inaccurate. And I've met some other people, too, whose locations weren't quite the distance provided by Adam4Adam.

[Michael Wayne]

I think GRINDR is a whole lot of fun, personally. Professionally I feel it is hurting the escort biz and hurting our biz ALOT. It is what it is....... I use it for two reasons: 1. it is where the hottest guys hook up which no longer happens in the bars. 2. It is a great place to get new clients who DO NOT frequent rentboy, rentmen or men 4 rent now. It is an intake site much like adam for adam or craigslist. I very politely turn down 95 % of the guys who hit on me on those sites for a hook up but I offer them the direct link to my rentboy ad. A large percentage book with me. http://www.rentboy.com/magicmikey or just TWINK MAGNET on grindr! lol

[+ FreshFluff]

The cost for this merely curious individual to build a real time map of grindr users in Phoenix came to six hours of labor plus about $30 for coffee and snacks at the Starbucks that supplied the Internet connection. I did all the work on a MacBook Pro. The technology and required expertise are common and readily available.

 

Right, that's exactly my point. The current grindr setup makes it easily to track cheaply. Giving less precise and/or delayed distance numbers would still allow tracking, but it would require more time to get the information needed.

[+ VeryHappyCustomer]

All Grindr users connect via an app that runs on mobile phones (with gps enabled). Adam4Adam supports connections from a wider range of devices, including desktop computers (that rarely have gps chips). Your neighbor probably connects from a desktop computer that is forwarding a location estimated based on the SSIDs of nearby wireless routers.

[Steven_Draker]

Wi-Fi Positioning System

 

http://en.wikipedia.org/wiki/Wi-Fi_positioning_system

[+ FreshFluff]

I think that Apple uses wifi positioning for it's Find my iPhone app.