Tinder has become a verb among mobile apps for people anonymously searching – or “Tindering” – for dates among other users of the app near their location, but a recently fixed vulnerability in the app could have allowed hackers to track the mobile phones of its users.
Tinder was accidentally releasing location data but was unaware its users were exposed for months until cybersecurity research firm IncludeSecurity notified the company in October. IncludeSecurity published details about the vulnerability in a blog post on Wednesday after not receiving updates about the security fix from the mobile app company.
This type of security gap is unfortunately not unique to Tinder, said the blog written by Max Veytsman, a researcher at IncludeSecurity.
“Flaws in location information handling have been common place in the mobile app space and continue to remain common if developers don't handle location information more sensitively,” Veytsman said.
Tinder also inadvertently exposed user location data last summer.
“We have not done research to find out how long this flaw has existed, we believe it is possible this flaw has existed since the fix was made for the previous privacy flaw in July 2013,” Veytsman said.
After Veytsman's blog post was published, Tinder CEO Sean Rad emailed a general statement to blog TechCrunch through a spokesperson that said the company did not keep IncludeSecurity updated on the security fix because the company typically does not share that kind of information.
“We are not aware of anyone else attempting to use this technique,” Rad’s statement said of the location-tracking gap tested by IncludeSecurity. “Our users’ privacy and security continue to be our highest priority.”
Users can “swipe” to like or dislike a photo of a potential date, resulting in a match if both app users approve the connection. The company does not release subscription data but Rad told Time that the app generates 500 million swipes and 5 million matches every day.