Vulnerability in Bumble dating app reveals any user’s exact location

You’re concerned about Steve Steveington, your good friend and co-CEO. At Steveslist, the online marketplace you co-founded together where people can buy and sell items without asking too many questions, business has been slow.

A dating app vulnerability?

The Covid-19 pandemic has been unusually kind to the majority of the tech business, but not to your particular slice. The “comatose, monkey-brained leadership” is to blame, according to your board of directors. You point the finger at macroeconomic variables outside your control and slacker staff.

A possible scenario

In any case, you’ve been doing everything you can to keep the business afloat, browning your books more than ever before and turning an even blinder eye to clearly illegal activities. However, you’re concerned that Steve, your co-CEO, is losing his cool. You keep telling him that the only way out of this storm is through it, but he doesn’t believe the metaphor applies here, and he doesn’t see how spiraling deeper into deception and flimflam could ever lead to another side. This makes you worry even more, because the Stevenator is continuously pushing for more spiraling. Something has to be going on.

Your office in the San Francisco Public Library’s 19th Century Literature section is only a mile from the FBI’s San Francisco headquarters. Is it possible that Steve is snitching on you? Is he genuinely nipping out to clear his conscience when he says he’s nipping out to clear his head? You’d follow him if he didn’t bolt out whenever you were in a meeting.

Fortunately, the Stevester is a frequent user of Bumble, a famous online dating app , and you believe you might be able to track him down via his Bumble account.

What is the mechanism behind it?

Here’s how it’s going to work. Bumble, like most other online dating apps, shows its users how far apart they are. This allows users to decide whether a potential paramour is worth a 5 mile scooter ride on a dreary Wednesday evening when there’s a cold pizza in the fridge and millions of hours of YouTube they haven’t watched. Knowing roughly how close a possible honey is is both useful and provocative, but it’s critical that Bumble doesn’t divulge a user’s specific location. An attacker might use this information to figure out where the user lives, where they are right now, and whether they are an FBI informant.

Tinder decided to estimate the distance between users on their server rather than on users' phones to counteract this threat. Instead than giving a user’s phone the exact location of a match, they only communicated pre-calculated distances. This meant that neither the Tinder app nor an attacker saw a potential match’s actual coordinates. Despite the fact that the app only displayed distances adjusted to the closest mile (“8 miles,” “3 miles”), Tinder provided these distances to the app with 15 decimal places of precision, which the app then rounded before showing. This needless accuracy allowed security researchers to re-derive a victim’s almost-exact location using a technique called trilateration (which is close to but not the same as triangulation).

the theorical flaw

The following is a diagram of how trilateration works. Tinder knows a user’s location because their app delivers it to them on a regular basis. It is, however, simple to spoof bogus location updates that fool Tinder into thinking you’re in any location you want. The researchers used Tinder to spoof location updates, allowing their attacker to move around their victim’s city. They asked Tinder how far away their target was from each spoof location. Tinder returned the answer, with 15 decimal places of precision, after seeing nothing wrong. The researchers repeated the process three times before drawing three circles on a map, each with a center equal to the faked locations and a radius equal to the reported distances to the user. The intersection of all three circles revealed the victim’s exact location.

the patch

Tinder patched this flaw by computing and rounding the distances between users on their servers, and only transmitting these fully-rounded figures to their app. You may have heard that Bumble only sends fully-rounded figures, presumably as a result of Tinder’s errors. Approximate trilateration can still be done using rounded distances, but only to within a mile-by-mile square or so. This isn’t good enough for you because it doesn’t inform you whether the Stevester is at FBI headquarters or a half-mile away at McDonalds. You’ll need to identify a new weakness in order to pinpoint Steve with the accuracy you require.

Check the rest of this incredible tech insight here!