Bumble, Hinge, and other apps had to fix privacy risk, study says

Researchers found that some major dating apps left users' locations able to be exposed by bad actors.
By Anna Iovine  on 
hand holding key, another hand emerging from smartphone with a lock
Credit: Accogliente Design / Shutterstock

Dating apps require users to disclose vulnerable information — and not just someone's romantic dreams. Most times, these apps require personal data like your name, age, and location. In the case of the latter, a new paper details that, for a time, several major apps left user locations able to be exposed by potential adversaries.

Dating app location vulnerabilities

In a new paper out of Belgian university KU Leuven, "Swipe Left for Identity Theft," researchers break down potential privacy risks for 15 location-based dating apps (LBDs) with at least 10 million downloads. These days, dating apps are typically location-based in order to help users find matches physically close to them. By needing location, however, it opens users up to potential risks.

All apps except one used distance between users to measure location. (That exception, TanTan — an Asian dating app — used exact coordinates one-time at the point of matching, and only if they matched.) "However, lacking sufficient protections, the availability of distances can still lead to the inference of a user's location," the paper states. "This is done through trilateration."

Trilateration is the process of determining location by measuring distances between three triangles (or circles, or spheres). There are different types of trilateration apps use to determine location. The authors — Karel Dhondt, Victor Le Pochat, Yana Dimova, Wouter Joosen, and Stijn Volckaert — found that they were able to pinpoint almost an exact location in six out of 15 apps, as TechCrunch reported.

Which dating apps had location vulnerabilities?

The most common vulnerability was through "oracle trilateration," which the paper explains, "Adversaries use an oracle that indicates through a binary signal whether a victim is located within proximity, i.e., when they are within a defined 'proximity distance' from the attacker."

Hinge, Bumble, Badoo (which is owned by Bumble), and Hily were susceptible to such trilateration.

A Hinge spokesman told Mashable:

Mashable After Dark
Want more sex and dating stories in your inbox?
Sign up for Mashable's new weekly After Dark newsletter.
By signing up you agree to our Terms of Use and Privacy Policy.
Thanks for signing up!

At Hinge, the safety and privacy of our users is always a top priority. Our app is built with a privacy-by-design approach and strictly protects sensitive user data. We are proud of our state-of-the-art bug bounty program and our ongoing dialogue with researchers, which are designed to attract comments so we can make adjustments before any harm happens to our users. We reviewed the feedback from this research team when we received it in early 2023 and immediately took action where appropriate.

A Bumble spokesperson told both TechCrunch and Mashable, "We were made aware of these findings in early 2023, and swiftly resolved the issues outlined. As a global business with members in countries all over the world, we are committed to protecting our users’ privacy and have adopted a global approach to privacy compliance."

This statement applies for Badoo as well, Bumble told Mashable.

Dmytro Kononov, CTO and co-founder of Hily, shared this statement with TechCrunch:

The findings indicated a potential possibility for trilateration. However, in practice, exploiting this for attacks was impossible. This is due to our internal mechanisms designed to protect against spammers and the logic of our search algorithm...Despite this, we engaged in extensive consultations with the authors of the report and collaboratively developed new geocoding algorithms to completely eliminate this type of attack. These new algorithms have been successfully implemented for over a year now.

Grindr was vulnerable to "exact distance trilateration." This can be done when services reveal exact distances to other users. The authors were able to figure out user locations as close as 111 meters (around 364 feet). Exact distance trilateration was possible even when the distance was hidden, such as in Egypt where Grindr hides all user locations for safety reasons.

"The proximity Grindr offers to this community is paramount in providing the ability to interact with those closest to them, Grindr's chief privacy officer Kelly Peterson Miranda told TechCrunch. "As is the case with many location-based social networks and dating apps, Grindr requires certain location information in order to connect its users with those nearby...Grindr users are in control of what location information they provide."

Finally, the app happn was vulnerable to "rounded distance trilateration," which can be done if an app utilizes a rounded location as a precaution. CEO and president of happn, Karima Ben Abdelmalek, told TechCrunch:

After review by our Chief Security Officer of the research findings, we had the opportunity to discuss the trilateration method with the researchers. However, happn has an additional layer of protection beyond just rounding distances...This additional protection was not taken into account in their analysis and we mutually agreed that this extra measure on happn makes the trilateration technique ineffective.

It appears that for apps with these vulnerabilities, the apps took measures to stop bad actors from determining user location using trilateration, with the exception of Grindr.

Which dating apps weren't vulnerable?

According to the paper, Tinder and LOVOO used "grid snapping" to prevent trilateration. Grid snapping is a technique of dividing one's location into a grid of squares. Coordinates (aka where users are) are moved to the center of these squares (Tinder) or the right side (LOVOO) and one's distance is measured from there. Therefore, their actual distance is inaccurate and can't be trilaterated.

Plenty of Fish and Meetic don't access GPS locations. While MeetMe, Tagged, and OkCupid do access this information, they convert it to the nearest town. The authors couldn't reverse engineer the information they needed for TanTan and Jaumo, so they couldn't test this method to find user locations.

The paper shows the importance of caution when using dating apps. As the paper concludes, "We hope that the awareness that we bring of these issues will lead LBD app providers to reconsider their data gathering practices, protect their APIs [application programming interfaces] from data leaks, prevent location inference, and give users control of their data and therefore ultimately their privacy."

anna iovine, a white woman with curly chin-length brown hair, smiles at the camera
Anna Iovine
Associate Editor, Features

Anna Iovine is associate editor of features at Mashable. Previously, as the sex and relationships reporter, she covered topics ranging from dating apps to pelvic pain. Before Mashable, Anna was a social editor at VICE and freelanced for publications such as Slate and the Columbia Journalism Review. Follow her on X @annaroseiovine.


Recommended For You
Most ADHD daters feel misunderstood, Hinge says
man looking at phone stressed with unanswered texts in the background

Hinge adds limit on unanswered messages
your turn limits on hinge

Hinge's top prompts going into cuffing season
A person is holding a mobile phone with the Hinge logo on its screen


The best dating apps of 2024 for every type of single
illustration of two women meeting at a bar

More in Life
How to watch Australia vs. India 2nd Test online for free
Virat Kohli of India celebrates scoring a century

How to watch New Zealand vs. England 2nd Test online for free
England's Brydon Carse celebrates

How to watch the 2024 Abu Dhabi Grand Prix online for free
Sergio Perez of Mexico driving the Oracle Red Bull Racing

Amazon is giving two free Kindle books to Prime members in December
three book covers on a dark blue and purple background

How to watch Packers vs. Lions online for free
By Trisha Easto
Jordan Love of the Green Bay Packers

Trending on Mashable
NYT Connections hints today: Clues, answers for December 6, 2024
A phone displaying the New York Times game 'Connections.'

Wordle today: Answer, hints for December 6
a phone displaying Wordle

At 2 a.m., an unexpected event led to a surprise planet discovery
A NASA conception of what the exoplanet Kepler-51e might look like.

Tesla suspends Cybertruck production. Who could have predicted this?
Tesla vehicles, including Cybertrucks, loaded on a transport that seems to be going nowhere.

NYT Connections Sports Edition today: Hints and answers for December 6
A phone displaying the New York Times game 'Connections.'
The biggest stories of the day delivered to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up. See you at your inbox!