Grindr vulnerability places men in harm's way

Gay and Bisexual men placed at risk despite recent patches

grindr logo

Grindr, a dating application that caters to gay and bisexual men, could be placing them at risk; and in at least one case, has helped authorities enforce anti-gay agendas by taking advantage of the service's geo-location functionality. Even after the application was allegedly patched, the problem remains.

Synack, a new start-up that delivers crowdsourced Red Teams, discovered two vulnerabilities in Grindr and reported them back in early March. Grindr silently patched one of the flaws, but the other remained untouched.

Grindr, used in 192 countries around the world, boasts more than seven million members. The application uses GPS and Wi-Fi to determine a person's location instantly, and connects them with other Grindr users nearby. From there, users can chat, share images, or even arrange meet ups.

As the core functionality of the application is location sharing, Grindr initially dismissed the tracking issue as a problem.

"We are always focused on doing what we’ve set out to do from the beginning: help guys meet other guys. Grindr’s geo-location technology is the best way for users to meet up simply and efficiently. As such, we do not view this as a security flaw," the company said in a statement on the issue.

"For Grindr users concerned about showing their proximity, we make it very easy for them to remove this option and we encourage them to disable ‘show distance’ in their privacy settings."

However, even if the option is disabled, that doesn't help. According to Synack's findings, any user can query the Grindr server to gain access to geo-location data. Moreover, if the person spoofs their location, they can gain geo-location data on any Grindr user, anywhere, at anytime.

"Although the Grindr app provided the means for a user to disable location-based sharing, this setting was only respected in the app’s user interface. The user’s location was still transmitted to the Grind’s server, and thus retrievable by anyone," Synack explained.

Shortly after Grindr's original statement, there were reports out of Egypt that authorities were using the Grindr vulnerability in order to track gays and lesbians.

Given that the geo-location data was extremely accurate (showing users as close as < 1 ft.), and the laws in Egypt force the LGBT community to remain hidden, authorities used Grindr's data to target small gatherings and parties and arrest those present for "indecent behavior."

In Iran, the actions were repeated. Using Grindr's tracking functionality, authorities were able to round-up 200 people during a recent clampdown on Grindr users.

On September 5, in response to the news from Egypt, Grindr said they would hide the distance flag automatically, and by default, for any user living in a country with a history of violence against the gay community.

The move impacted users in Russia, Egypt, Saudi Arabia, Nigeria, Liberia, Sudan and Zimbabwe.

"There are many more countries already being protected by this location change, and we will continue to add more to this list. This change means that any user within these countries will not show distance on their profile (e.g. 1 mile away). Your location will not be able to be determined via trilateration or any other method, keeping your position private and secure," Grindr said.

"Users that are not located in countries with anti-gay legislation will be able to see distance in profiles, as we believe geo-location technology is the best way to help guys meet up simply and efficiently."

Once more, Grindr stressed that users who wished to hide their location and distance markers disable the feature in the application's interface. And yet again, the disable options only apply to the application's interface; the data is still available from the Grindr server.

Furthermore, the changes made for those living in anti-gay regions are easily bypassed, rendering what little protection they offered useless. Synack researchers spoofed their location, telling the application that they were in Cairo, Egypt, and were able to pull precise distances and geo-location data immediately.

The only thing required in order to pull this information off of Grindr's server is a valid Grindr account. Geo-location is touted as a feature, but clearly it can be abused. Worse, it can be used to target human beings, whose only real crime seems to be that they exist.

While Grindr did alter their platform so that anonymous users couldn't access the geo-location data, creating a valid account is an easy process. In fact, details on how to abuse the application's functionality have been available online for some time.

Moreover, Grindr hasn't taken any of the steps recommended to them, including preventing location spoofing and limiting the accuracy of the distance markers, which the company still maintains is the simplest way for men to meet other men.

The company hasn't made any additional changes or statements since being contacted about the remaining problems.

After this story was published, Grindr's press office sent the following statement:

"We monitor and review all reports of security issues regularly. As such, we continue to evaluate and make ongoing changes as necessary to protect our users."

In a statement, Synack added the following details to this story:

" appears that Grindr has now fixed the API so all accounts have 'showDistance' = FALSE for countries that have anti-gay legislation such as Egypt and Russia. However, Grindr has not addressed the real-time tracking of users down to the centimeter in other countries such as the United States.

"As a result, the original vulnerability identified by Colby Moore of Synack Research has not been comprehensively addressed as an attacker can still track a Grindr user in real time from home, to the gym, to their job, out in the evening, etc. and determine patterns in behavior that would enable physical or property crime committed against the Grindr user."

Grindr has issued another statement to Salted Hash about this story. They disagree with the reporting that says geo-location data was exposed.

Calling the claims false, Grindr says:

"Users CAN NOT get access to geo-location data. They can only get access to "distance from" data and ONLY for users that have "Show Distance" flag set to true."

Moreover, they dispute the claims by Synack, which correctly noted that when a user disables location-based sharing, the setting is only respected in the application's user interface.

Once again calling the statement false, Grindr's latest statement adds:

"We DO NOT transmit distance from information for users who elected to disable their "Show Distance" flag."

As the previously mentioned update from Synack mentions, some of the flaws in the Grindr application have been addressed, but the risk remains the same for the most part.

The upside is that they did at least fix their application for users in areas where there is a strong anti-gay presence.

Copyright © 2014 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline