Another day another privacy problem with an app

February 23, 2014 |

The Guardian reports in Tinder dating app was sharing more of users’ location data than they realised on a data security flaws in the Tinder App which was identified and notified to the developer last October but not fixed until years end. Apps are a significant and growing problem for data security.  In Australia many start up apps are not covered by the Privacy Act.  The owners rarely have turnover of $3 million or more and aren’t covered by any of the small businesses services which ropes them into the operation of the Act, such as handling health information or credit information as either a credit provider or credit reporting body.  So the Act does not apply to the one area of rapid development in the technology market whose lifeblood is the collection, storage and use of personal information.  And without regulation  developers are all about quickly getting the app into the market with as quick a take up rate as possible.  Not an environment where the focus is upon voluntary compliance with the spirit of the Australian Privacy Principles.  A very big lacuna in the law.  Given the regularity of apps running into privacy breach and data management problems (see Snapchat snafu, android apps tendency to breach privacy, woeful data security that leads to targeting of apps such as Angry Birds and this problem has been identified for some time, for example in 2010) this is a significant public policy failure.

The article provides:

Mobile dating app Tinder has millions of users swiping on one another’s profiles to find matches, but it seems that for part of last year, they were sharing more information than they realised.

Part of the app’s appeal is that it shows people other users nearby, providing a rough distance indication, but doesn’t share their actual location for safety purposes.

White-hat hacking firm Include Security has revealed that it identified a flaw in Tinder last year that enabled hackers to identify the location of individual Tinder users to within 100 feet. It notified Tinder about the security hole in October, but claims it was not fixed until some time in December.

It was related to a fix for a previous privacy issue in Tinder, when the app was found to be transmitting latitude and longitude coordinates of matched profiles, meaning developers could access this data by querying Tinder’s API.

“We have not done research to find out how long this flaw has existed, we believe it is possible this flaw has existed since the fix was made for the previous privacy flaw in July 2013,” wrote Include Security’s Max Veytsman in a blog post which suggests Tinder is far from the only location-based app to include such a loophole.

“Flaws in location information handling have been common place in the mobile app space and continue to remain common if developers don’t handle location information more sensitively,” he wrote, while also publishing a YouTube video showing how the flaw could have been exploited:

By definition, white-hat hackers identify these kinds of security flaws not to harm people, but to ensure they are patched up. In his blog post, Veytsman lays out a timeline of his firm’s interactions with Tinder, suggesting that the company – a subsidiary of media giant IAC – was less than forthcoming in its responses.

Its chief executive, Sean Rad, has provided a comment to Businessweek. “Shortly after being contacted, Tinder implemented specific measures to enhance location security and further obscure location data,” he said.

“We did not respond to further inquiries about the specific security remedies and enhancements taken as we typically do not share the specifics of Tinder’s security measures. We are not aware of anyone else attempting to use this technique. Our users’ privacy and security continue to be our highest priority.”

Leave a Reply