Computer engineers of Spanish origin, Marc Pratllusá and Oriol Martínez, specialized in computer security, have found a quite serious failure of the dating application Tinder Pratllusá and Martínez, without being computer hackers or anything like that , they realized that a design flaw in the application could allow anyone with minimal knowledge of computers, to recognize What latitude and longitude are the people with whom you have "matched" in the app.Engineers discovered the bug by chance, while inspecting other apps like Wallapop, Facebook or Spotify for professional reasons, and that's when they discovered thatthe app was transmitting the location in coordinates instead of in distance as it should be.
The operation of this application is very simple, the person who uses it, slides between the photos of the users that match the data that has been entered and when someone likes them, they mark them, if the person they have marked corresponds, there will be a match Under this premise of use, engineers found that could identify the exact location of the people they matched with The error was persistent even after block the user And we say was, in the past tense, because Tinder engineers have taken it upon themselves to fix it, without notifying users of the bug , acting as if nothing had happened.
But the most worrying thing is that this bug in the application not only reported the location at that moment, but also indicated every time we moved , which allowed users to be controlled by other users as if it were a geolocation system.
Tinder has not reported anything, it only commented to EL PAíS that «The privacy and security of our users is our top priority. We're not talking about specific vulnerabilities we might find in order to protect them." But, apparently, since the engineers reported the bug to the app developers it has taken three months to resolve it.
To access this information, the Catalan engineers just only had to install a proxy server between their phone and the Tinder server. With this item you can read the information that is sent to the user's phone.
Once the proxy was installed and observed the failures, they decided to create fake profiles to carry out different tests in order to verify the existence of the proxy mistake. And indeed the error existed and they were able to verify the exact location of different people as can be seen in the previous photo It is not yet known how long this has been taking place or how many people have been able to use it maliciously, although we can confirm that three months have passed since Pratllusá and Martínez discovered it and until Tinder solved it.
Source: EL PAÍS
