Include Security Identifies Major Vulnerability in Tinder Online Dating App

Major Application Vulnerability Allowed Millions of Tinder Users to be Trackable for Most of 2013

Feb 19, 2014, 12:38 ET from Include Security

NEW YORK, Feb. 19, 2014 /PRNewswire/ -- Include Security, a boutique information security consulting firm, today unveiled new research showing that users of the popular online dating app Tinder were at significant risk due to a vulnerability they discovered in the geo-location feature of the application. This vulnerability allowed Tinder users to track each another's exact location for much of 2013.

Include Security's research team first discovered the flaw and reported it to Tinder this past fall, citing that the vulnerability would allow any Tinder user to find another user's location if the Tinder app is running, or their last known location if not. Using an algorithm called trilateration, Include Security's research team was able to get the exact latitude and longitude co-ordinates for any Tinder user.

According to the blog, "anyone with rudimentary programming skills could query the Tinder API directly and pull down the co-ordinates of any user." This resulted in a privacy violation for the users of the application.

Erik Cabetas, Managing Partner and Founder of Include Security said, "Due to Tinder's architecture, it is not possible for one Tinder user to know if another took advantage of this vulnerability during the time of exposure. The repercussions of a vulnerability of this type were pervasive given Tinder's massive global base of users. Once our research team discovered it, we reported the vulnerability directly to Tinder and followed up multiple times between October and December 2013 to ensure they were addressing the problem."

At some point between December and early January, Tinder did issue a fix for this problem.

"As more and more applications are being built to include geo-location services, there is an increased risk to the privacy and safety of users," added Cabetas. "Application vendors and developers have a responsibility to ensure their users' privacy and security is protected, vulnerabilities are communicated promptly, and priority is given to developing important fixes like this."

For more details on this vulnerability, please visit:

About Include Security
Include Security, is a boutique consulting company with security researchers in North America, Europe, and South America.  Businesses rely on the secure performance of their digital platforms, and demand a comprehensive approach that doesn't exhaust company resources or engage in lengthy timelines. With headquarters in New York, Include Security provides clients with advanced assessments of their technology that is straightforward and strategic. For more information please see and follow us on Twitter: @IncludeSecurity

SOURCE Include Security