Researchers Claim Bumble and Hinge Enable Stalking by Pinpointing Users’ Locations to 2 Meters

Researchers from KU Leuven in Belgium have uncovered significant vulnerabilities in several popular dating apps, including Bumble and Hinge, that allow malicious users to accurately track victims' locations, sometimes within just two meters. Their findings, published in a recent academic paper, examined 15 popular dating applications and revealed that Badoo, Bumble, Grindr, happn, Hinge, and Hily shared a common flaw that could enable stalkers or other malicious individuals to determine the near-exact location of other users.

While these apps do not publicly disclose exact locations when showing distances between users, they utilize precise location data for their filtering features. These filters enable users to customize their search for potential partners based on various criteria, including distance. By exploiting this vulnerability, the researchers employed a technique called “oracle trilateration” to estimate the location of a target user. This method is based on standard trilateration used in GPS technology but adapted to take advantage of the dating apps' functionalities.

To execute oracle trilateration, the attacker first estimates the victim's location using the information available in their profile. Then, the attacker methodically moves in specified increments until the app indicates that the target is no longer within proximity. By repeating this process in three different directions, the attacker can establish three points with known distances, allowing them to pinpoint the victim’s location.

Karel Dhondt, one of the researchers, expressed surprise that these known vulnerabilities still existed in widely used apps. While the technique does not reveal exact GPS coordinates, Dhondt emphasized that a precision of two meters is close enough to effectively track a user.

Fortunately, following the researchers' outreach, all the affected apps have made necessary changes to their distance filter systems to mitigate this vulnerability. The recommended fix involved rounding the exact coordinates by three decimal points, which diminishes the precision and, consequently, the risk of exploitation. Gabrielle Ferree, vice president of global communications at Bumble, confirmed that the company was informed of these findings in early 2023 and promptly resolved the issues.

Dmytro Kononov, the CTO and co-founder of Hily, acknowledged the potential for trilateration but argued that exploiting it was impractical due to their internal mechanisms that protect against such attacks. He stated that they collaborated with the researchers to create new geocoding algorithms that effectively eliminate this vulnerability.

Happn’s CEO, Karima Ben Abdelmalek, also highlighted the company’s additional protective measures, which were not fully considered in the researchers' analysis. According to Ben Abdelmalek, these measures rendered the trilateration technique ineffective for their users.

In contrast, the researchers noted that Grindr users could be located to within about 111 meters of their exact coordinates. While this distance is better than the two meters possible with other apps, it still poses a safety risk, especially in densely populated areas. Grindr stated that this level of precision is a feature, not a flaw, as it enhances connectivity for users within the LGBTQ+ community. Kelly Peterson Miranda, Grindr's chief privacy officer, emphasized that users have control over their location visibility, allowing them to disable the display of their distance if they choose.

Overall, the research raises critical concerns about user privacy and safety in dating apps, highlighting the need for continued vigilance and robust security measures in the digital dating landscape. The rapid response from the companies involved is a positive step toward improving user protection, but ongoing scrutiny and innovation are essential to stay ahead of potential threats.