In a demonstration for BBC News, cyber-security researchers were able to generate a map of users across London, revealing their precise locations.
This problem and the associated risks have been known about for years but some of the biggest apps have still not fixed the issue.
What is the problem?
Several also show how far away individual men are. And if that information is accurate, their precise location can be revealed using a process called trilateration.
Here’s an example. Imagine a man shows up on a dating app as “200m away”. You can draw a 200m (650ft) radius around your own location on a map and know he is somewhere on the edge of that circle.
If you then move down the road and the same man shows up as 350m away, and you move again and he is 100m away, you can then draw all of these circles on the map at the same time and where they intersect will reveal exactly where the man is.
Researchers from the cyber-security company Pen Test Partners created a tool that faked its location and did all the calculations automatically, in bulk.
They also found that Grindr, Recon and Romeo had not fully secured the application programming interface (API) powering their apps.
“We think it is absolutely unacceptable for app-makers to leak the precise location of their customers in this fashion. It leaves their users at risk from stalkers, exes, criminals and nation states,” the researchers said in a blog post.
LGBT rights charity Stonewall told BBC News: “Protecting individual data and privacy is hugely important, especially for LGBT people worldwide who face discrimination, even persecution, if they are open about their identity.”
Can the problem be fixed?
- only storing the first three decimal places of latitude and longitude data, which would let people find other users in their street or neighbourhood without revealing their exact location
- overlaying a grid across the world map and snapping each user to their nearest grid line, obscuring their exact location
How have the apps responded?
Recon told BBC News it had since made changes to its apps to obscure the precise location of its users.
“In hindsight, we realise that the risk to our members’ privacy associated with accurate distance calculations is too high and have therefore implemented the malaysian dating site snap-to-grid method to protect the privacy of our members’ location information.”
It added Grindr did obfuscate location data “in countries where it is dangerous or illegal to be a member of the LGBTQ+ community”. However, it is still possible to trilaterate users’ exact locations in the UK.
Its website incorrectly claims it is “technically impossible” to stop attackers trilaterating users’ positions. However, the app does let users fix their location to a point on the map if they wish to hide their exact location. This is not enabled by default.
The company also said premium members could switch on a “stealth mode” to appear offline, and users in 82 countries that criminalise homosexuality were offered Plus membership for free.
BBC News also contacted two other gay social apps, which offer location-based features but were not included in the security company’s research.
Scruff told BBC News it used a location-scrambling algorithm. It is enabled by default in “80 regions around the world where same-sex acts are criminalised” and all other members can switch it on in the settings menu.
Hornet told BBC News it snapped its users to a grid rather than presenting their exact location. It also lets members hide their distance in the settings menu.
Are there other technical issues?
There is another way to work out a target’s location, even if they have chosen to hide their distance in the settings menu.
Most of the popular gay dating apps show a grid of nearby men, with the closest appearing at the top left of the grid.
In 2016, researchers demonstrated it was possible to locate a target by surrounding him with several fake profiles and moving the fake profiles around the map.
“Each pair of fake users sandwiching the target reveals a narrow circular band in which the target can be located,” Wired reported.
The only app to confirm it had taken steps to mitigate this attack was Hornet, which told BBC News it randomised the grid of nearby profiles.