Alleged Security Flaw In Grindr Reveals Exact User Location

grindr-heat-map

A new report claims that tech-savvy hackers can pinpoint Grindr users exact locations—down to what room in the house they’re in.

NDTV is reporting that an anonymous tipster has spammed more than 100,000 users in 70 countries with anti-gay laws, warning them that their security, and possibly their lives, are in jeopardy.

The tipster writes:

grindrmap_vulnerability_ndtv.jpg

Officials at Grindr have been informed several times within the past months about these issues, which would seem to imply that the concept of ’social responsibility’ is lost upon Grindr.

Knowing that Grindr-Users in countries such as these are being put unnecessarily at a high risk should be reason enough for Grindr to change its system.

Normally, Grindr only provides the distance in feet or miles between two users, but according to the article, “specific location data can be extrapolated by querying Grindr’s servers from three different places and triangulating the information received.”

This process can easily be automated, with the coordinated overlaid onto a map. NDTV posted screenshots with such a map from a user in India (atright).

grindrmap_vulnerability_demo_ndtv.jpg

The flaw arises from the fact that anyone can query Grindr’s servers using standard JSON (JavaScript Object Notation) without needing to be authenticated.

The server’s response will contain whatever information users have added to their profiles, potentially including a photo, text description, age, ethnicity, body type, time last seen online, and relationship status.

Grindr users can turn off their location information, and the whistleblower included links to a YouTube video demonstrating how to do it that in several different countries.

Currently, Grindr has more than five million active users worldwide.

UPDATE: Grindr responded to this story with the following statement:

We don’t view this as a security flaw.  As part of the Grindr service, users rely on sharing location information with other users as core functionality of the application and Grindr users can control how this information is displayed. For Grindr users concerned about showing their proximity, we make it very easy for them to remove this option and we encourage them to disable ‘show distance’ in their privacy settings. As always, our user security is our top priority and we do our best to keep our Grindr community secure.