Grindr smartphone app outs exact location of gays across Iran

A design flaw in the popular smartphone app “Grindr” permits anyone with an Internet connection, anywhere in the world, to identity the near-exact location — to within about 100 feet (30 meters) — of every gay men, worldwide, who is using the app at any given moment.

The locations of over 200,000 gay men, across the world, have already been pinpointed by the security breach in the past week, according to the gay European who discovered it.

As an example of how serious this really is, I just used Grindr to find the location of every gay man in Tehran, Iran who was online at the moment I checked. If I were to click the blue dots, you could see their profile.

Every gay man in Tehran, Iran who was on Grindr when I checked it using the security glitch:

every-gay-in-tehran

Here is every gay man in Iran who was online at the moment I checked. If you zoom in further, you can find the exact street and corner they’re on.

Keep in mind that just a few weeks ago, Iran executed two men, human rights authorities believe because of their gay sexual orientation.

All 189 gay men identified in Iran since the security glitch was discovered, with their exactly location:

iran-grindr

All 189 gay men identified in Iran since the security glitch was discovered, with their exactly location.

Here’s one young gay Iranian I easily found, to the detail of his street corner, in Bandar-e Anzali, Iran — population 110,000. I have blurred his face, and have zoomed out the map, so that he can’t be identified.

Bandar-Anzali-Iran

I easily found the location, to the detail of his street corner, of a young gay man in Bandar-e Anzali, Iran — population 110,000. I have blurred his face, and have zoomed out the map, so that he can’t be identified.

Now, you might think that a 100 foot margin of error is enough to hide the exact location of the  young Iranian gays. But what happens if authorities go door to door, to the two or three homes or apartment buildings in the area, and show this young man’s photo to every occupant? It would likely be easy to find him.

I’d reported on this problem extensively yesterday, showing examples of gay men in America, Paris, Uganda, Turkey, Jordan, and even in the British House of Commons and the Republican party headquarters in Washington, DC.

In a nutshell, services like Grindr, which basically are applications used for dating and/or hooking up, show you how many feet, meters, miles or kilometers you are from other users in your area. What the app does not do is tell you exactly where those users are, or even what direction they are from you — so it’s impossible to know where they actually are.

The security glitch, discovered recently by a gay European Grindr user who prefers to remain anonymous, permits anyone to find that exact location. The person who discovered the glitch has protected the data so that no one can access who is online in particularly sensitive countries that Grindr serves (like Iran). They gave me special permission to peruse those countries, under the agreement that I make every effort to obscure the exact location and identity of the Grindr users.

Here is an example of what a typical Grindr user sees when checking out the profile of another  user — note the person’s distance from me, 2 miles:

grindr

The design flaw, however, permits you to locate the near-exact location of every single Grindr user who is online at any one time — down to a 100 foot (or so) margin of error.

Using the security glitch, I was able to find dozens of gay men in Tehran, down to the location they were on a particular block. Again, I’m making this map very small so that it’s impossible to actually tell where the men are.

Here is Tehran and all the gays online on Grindr just a few hours ago. If you click the blue dots, you get to see their screen name and profile image. A number of them use their actual face as their profile image.

tehran-small

Grindr gays online in Tehran, Iran at any one time.

Here’s an example of how detailed the searches, and the resulting maps, really are. I did not attempt to locate any gays in this particular map, rather I zoomed in to show you how detailed the map is when you zoom in all the way. Here is Tehran, at full resolution. It shouldn’t be terribly difficult to locate someone once you now what block they’re on and have a photo of their face.

tehran-map

Here are more of the gay teens and men around Iran that I found over the past 12 hours.

Shiraz, Iran — population 1.3 million:

shiraz-iran-grindr-zoom-outxx

Sowme’eh Sara, Iran — population 36,000:

Someh-Sara-Iran-Grindr

Isfahan, Iran — population 3.8 million (again, this is zoomed out for their protection):

Isfahan, Iran, population 3.8 million.

Meet the gays of Isfahan, Iran, population 3.8 million.

Amir of Tabriz, Iran — population 1.4 million:

amir-of-tabriz-iran-grindr

Meet Amir, of Tabriz, Iran — population 1.4 million.

Grindr’s recent claim that the security breach isn’t a glitch, but rather an intentional feature, rubbed many the wrong way.  First, Grindr’s statement:

“We don’t view this as a security flaw. As part of the Grindr service, users rely on sharing location information with other users as core functionality of the application and Grindr users can control how this information is displayed. “For Grindr users concerned about showing their proximity, we make it very easy for them to remove this option and we encourage them to disable ‘show distance’ in their privacy settings. “As always, our user security is our top priority and we do our best to keep our Grindr community secure.”

A friend who has a PhD in physics from MIT begged to differ. Here’s what he sent me, in response to Grindr’s claims:

Grindr is violating its users’ security and privacy, and they are doing it by design. Grindr’s design permits anyone with a computer connection to make a map showing the locations — accurate to about 100 feet — of every Grindr user in the world.

I believe Grindr when they say this is something they “intended all along”. Any service which permits anonymous users to access a distance to other users from an arbitrary position nearby, and permits those users to submit multiple locations, empowers the users to triangulate locations of identified users. It is a design flaw – from the point of view of security and privacy – to permit this capability. Grindr gives users the ability to suppress this — by turning off “Show Distance” under “Settings…Privacy”. But a user shouldn’t have to take proactive steps themselves to fix the unanticipated security and privacy risks that Grindr poses: Grindr should be proactive in protecting their users’ security and privacy, and right now, they are not. The Grindr app poses a danger to their users’ security and privacy, in its design.

Here’s a few ways how using this app poses a danger to their users’ security and privacy. In Iran (and many other countries), it is illegal to be gay — and often, in those countries, they’re not tied up on issues like a burden of evidence, the mere implication being enough. The police force in Tehran can make three internet queries to Grindr, and they will have the location and photograph of every Grindr user in Tehran, accurate to 100 feet. They can then send out officers with these photographs and locations, start knocking on doors, and showing the photographs around, until they find the user — which, with only 100 foot large region, will be very quickly. In a day, the police could round up every Grindr user in Tehran, and they’d be executed soon thereafter.

There are a couple of ways Grindr can overcome this “threat to privacy-by-design”. One way is to remove “distance” entirely from the fields provided. That would make it impossible for third parties to make a map of users. That would be the best way. Grindr can still respond to queries from legitimate users with, say, the 50 closest other users, but not provide the distances. That would completely thwart nearly all distance-based security/privacy threats.

Another way is to make a decision, and by design, not give out location accuracy to better than, say, 1 mile. However, one flaw of this approach is that it makes an assumption about what is “safe” — and 1 mile may be safe enough in a dense urban environment, where a 100,000 people might live, but could still be dangerous in a sparse rural environment.

Another way is to give Grindr users options: “How accurately do you want others to know where you are?:” and give options: 100 feet, 1 mile, 10 miles, “Do not show”. In each case, Grindr’s broadcasted “distances” would only be accurate to the stated distance, and would thwart triangulation to an accuracy better than the stated distance.

Finally: Grindr should *include* in their app the ability to map out other nearby Grindr users. Grindr says this information is available by design, but what we’re seeing now is many Grindr users did not work through that this meant anyone, anywhere can see exactly where they are. By providing users a map with the locations of other nearby users (with pictures), it would inform their users what information about them is actually being broadcast by grindr, so that their users could take action to protect themselves, like degrade how accurately others can see their location, or turn location services off entirely.

Stay tuned. I’ve got a whole lot more stories coming.


Follow me on Twitter: @aravosis | @americablog | @americabloggay | Facebook | Google+ | LinkedIn. John Aravosis is the editor of AMERICAblog, which he founded in 2004. He has a joint law degree (JD) and masters in Foreign Service from Georgetown (1989); and worked in the US Senate, World Bank, Children's Defense Fund, and as a stringer for the Economist. Frequent TV pundit: O'Reilly Factor, Hardball, World News Tonight, Nightline & Reliable Sources. Bio, .

Share This Post

  • goulo

    As noted in the article, simply knowing the distance is already a dangerous security leak which exposes the location, regardless of whether the distance calculation is done on the server or the local client:
    Given the distances from 3 different locations to a user, by triangulation you can compute the user’s location.

  • Jed McBride

    I’ve seen a new crowdfunding campaign that might be interesting.

    Bleep – smart charging cable that backs up your data while
    charging.

    http://igg.me/at/bleep

  • CarolWJohnson

    I just got paid <-$7500 by working part time off of a lap-top b­­­­­­­­y ­­­­­­­­­­­­­­­­G­­­­­­­­­­­­oog­­­­­­­­­­­­­­­­­­­­­­­­­l­­­­­e­­­­­­­­­­­­­.I­ a­­m m­­a­­k­­­­i­n­­­g a ­­­­­­­­­go­­od ­­­­­­­­­sa­­la­­ry ­­­­­­­­­fr­­­om ­­­­­­­­­h­­.o­­m­e ­­­­­­­­­$­­5­5­0­0­­­­­­­­­-­­­­­­­­­$­­7000/w­­­­­e­e­k..L­­­ast Thursday I got a brand new BM­­­W since getting a check for $647­­­4 this – 4 weeks past. I beg­­­an this 8-months ago and imm­­­ediately was bringing home at lea­­­st $97 pesdr hour. I wo­­­rk thr­­­ough this link, go to tech tab for work det­­­ail­­­

    ———————————————————–

    Here ­­­­­­­­­is ­­­­­­­­­I ­­­­­­­­­started——http://www.googleworkreports/2014/1/9….
    >
    ———————————————————–

    OPEN THIS URL–>>­POP OVER NEXT TAB FOR MORE INFO AND HELP

  • Bose

    And yet, in the U.S., we still need to assume, too often, that we’re under the threat of extreme prosecution by our local law officers.

    http://savannahnow.com/effingham-now/2014-08-26/brother-and-sister-arrested-incest-effingham#.U__Y7PldWSp

    Near Savannah GA, a brother/sister pair (aged 20 & 25) were both booked for incest, punishable by 1-20 years. I’m not going to argue the merits of that charge; at minimum, they likely need help of some flavor assuming there is credible evidence.

    But, they were also charged with aggravated sodomy, defined as any sex between genitals and anus or mouth committed with force *and* against the will of the other person. Required sentence: 10-20 years, with an option of life in prison.

    Wait, an effing second, though… if both were chargeable under the incest statute, as well as the rape-y aggravated sodomy statute, the only workable scenario is that they took turns committing forced, rape-y sodomy against each other. (Flip-flop grudge-raping?)

    Clearly, LGBT folks in GA are not free of jeopardy under the aggravated sodomy statute, if any sex-related charges can be trumped up to potential life sentences, never mind Lawrence.

  • http://www.rebeccamorn.com/mind BeccaM

    Yeah, but spoofing IPs and locations is child’s play. And okay, let’s say they do as you suggest and detect a single client moving around and disallow more than X queries in a given period of time.

    So you fire up three separate clients, each with a different login. At that point, you don’t even have to worry about server code that detects unreasonable movement or positioning. You (and your two virtual alternates) are using the service exactly as it’s designed to be used.

    John came up with several good suggestions. One of mine was “Don’t let Grindr broadcast ANY location info in countries where being gay is itself illegal or dangerous.” His was for users to have to opt in to location broadcasting, with adequate warnings as to what that means, along with the ability to select exactly how closely you want people to be able to see you.

  • Edeiwmurk Nivek

    You raise a good point. But if distances were calculated on the server side, it would make triangulation much more difficult. If the app disallowed mock locations (as it should), then you couldn’t triangulate without physically traveling around unless you reverse-engineered the app to feed bogus locations to the server. If distances were reported to the nearest mile, then triangulation would become even more mathematically complex. The server could detect a single client moving around in an unrealistic manner and blacklist it. And of course, all this assumes that the user whose location is being triangulated is not moving.

  • Edeiwmurk Nivek

    If the Grindr app is smart, it won’t let you use mock locations. (Somehow I doubt that will be a problem…)

  • Edeiwmurk Nivek

    More to the point, it’s not strictly necessary for a user’s location to be known to other users at all, if the distance calculation is done on the server side. Broadcasting locations and letting the client calculate the distances is, in this case, a terrible design flaw. Clearly they didn’t think at all before they started coding.

    From the looks of it, Grindr is actually a really trivial app. I could probably produce a competitor in about a week, at least for Android. I’d need to find someone else to port it to iOS. Whattya say, Mr. Aravosis? Want to create the official AMERICAblog gay hookup app?

  • FLL

    If you expose yourself like that, you’re stupid.

    Everyone makes stupid mistakes at one time or another. Review your own comment history if you doubt that. I don’t think it follows that people deserve to listen to you snidely say that if someone is executed because they used Grindr, it’s their own fault for being stupid. Saudi Arabia is one such country where using Grindr would place people in danger. I seem to remember criticizing the Saudis (with good reason) for the hateful things that they include in their elementary and high school textbooks. I also remember you objecting by attaching a sarcastic reply, as though I were criticizing the “good people.” Your comment above is pretty nasty. Really. Read your comment again. What a vicious sentiment. I wouldn’t blame gay people in repressive countries for telling you to choke on your own bile.

  • Rambie

    Turn off the “Show Distance” setting and you’ll no longer show up on the map but Grindr will still work.

  • http://wicca.com/celtic/wicca/wicca.htm Colin

    This is terrible. And not just for the folks in Iran. This removes any safety in numbers we may have here also. Bullies and crazies become very brave when there is one of you and five of them.

  • http://www.rebeccamorn.com/mind BeccaM

    Yeah, but John, this is the Internet: If you’re exposing yourself at all, you’re exposing yourself to everyone who cares to look. The business model of Grindr itself consists of online profiles and this service to tell you how far away you are from the owner of it. It doesn’t take an MIT PhD to figure out an easy way to find that person is to use triangulation from a few places, draw a few arcs on a Google map and voila — you have the person’s exact location to within a few hundred feet at most.

    Oh, and lovely — Grindr lets people post profile photos of themselves, making finding the person even easier.

    A lot of us did imagine that any service giving away your location to potential strangers — or the means to easily deduce it — is rife with opportunity for harm. I’m just amazed so many people gave this information away willingly without thinking through the potential consequences.

  • http://www.rebeccamorn.com/mind BeccaM

    The blood of those Grindr users who meet harm will be on their hands.

    It’s not just a disservice. It’s criminal negligence.

  • http://AMERICAblog.com/ John Aravosis

    Well, and I’m wondering why Grindr couldn’t in those countries simply turn off the listing of how far away you are? You could still group people by their relative distance form you – first to late – without saying how far away they are. That would presumably make it much harder to find them. And at least require that in unsafe countries. Or at least offer it as an option. Simply offering users the option to disable location services, when not explaining to them what it means to NOT disable them, and also not explaining what it means to disable them (I would assume that Grindr is useless if I disable the location services, but if it’s not, then more folks might be willing to do it). But in any case, most Grindr users are I’m sure unaware that their location is available to anyone, and without that knowledge they can’t reasonably make an informed decision about the location option. Grindr appears to be, sadly, acting like every big bag anti-gay corporation we’ve dealt with in the past. First denying the problem even exists, then shutting up and hoping we all go away. And yes, once the secret police arrive in Tehran, I suspect many of us will be going away. They have built an amazingly popular app that is teetering on the brink of its own destruction. Whoever is advising them to just shut up and ignore the problem has done them a real disservice.

  • http://AMERICAblog.com/ John Aravosis

    The thing is, no one – and I mean no one – realized that they, we, were exposing ourselves to THIS degree. We thought the app was simply saying that we were x feet or x miles away, which offered us relative safety. No imagined that anyone, and I mean ANYONE, could zero in easily on our exact location. This is abominable.

  • http://www.rebeccamorn.com/mind BeccaM

    It actually wouldn’t be that hard to actually disable location-finding in any of those countries. Sure, it’d take some coding, but it’s entirely possible to set up the service so that those users located in countries and places where it’s not safe to be outed simply do not register a location. Or when someone loads Grindr on their phone in, say, Iran, it says, “Sorry, but location services are not available in this region.”

    You’re right, Grindr’s people aren’t taking this seriously, and what’s more are setting themselves up for massive lawsuits from both directions, both from endangered users and from the governments who could rightly accuse Grindr of abetting in what these countries have deemed to be illegal homosexual acts.

  • nicho

    Maybe if you live in a repressive society that will kill you for being gay, you stay off of Grindr. It’s that simple. I live in the US and I manage to avoid it — and I’m not even closeted. If you expose yourself like that, you’re stupid.

  • http://AMERICAblog.com/ John Aravosis

    Yes, MIT guy explained to me that that’s the entire problem here. It’s not a glitch, it’s Grindr. This is the way it works. This is the way, he says, all location-type apps, that tell how far away you are, work. That this triangulation is likely possible on all of them, he says. I agree with you. Becca. I’m starting to think that this app shouldn’t be used in any country, or any place, where it isn’t safe to be outed as gay. And Grindr’s response, which didn’t even acknowledge the problem, the danger, is making me all the more concerned about the inherent danger in all of this. They don’t seem to be taking this very seriously.

  • http://www.rebeccamorn.com/mind BeccaM

    Personally, I’m hoping every Grindr member currently visiting or residing in countries with repressive anti-gay laws is being warned they’re in danger for as long as they leave their ‘broadcast my location’ option turned on.

    Even if Grindr fixes this particular security breach, it in no way addresses the lethal flaw intrinsic to the way Grindr is intended to function.

  • http://www.rebeccamorn.com/mind BeccaM

    As I said yesterday, yes, it’s very very bad that it’s possible with no effort at all to determine a given Grindr user’s location — including those who are unwisely using the service in countries where being gay equals prison or death.

    However, I also know a thing or two about orienteering. With just three origin points and distance to target from each origin, triangulation is possible. In fact, with just two origin points and distance, it’s possible to narrow a target to just one of two locations, where the circles overlap. Add a third and you’ll have the point. Your MIT friend is clever, but it doesn’t even take ‘clever’ to know how to do this. Your average Boy or Girl Scout knows how.

    These people aren’t just in danger because of the security breach. They’re in danger because Grindr EXISTS. And because Grindr is being used by members in countries with severe penalties for being gay. Or, like in Russia, where it’s a wink and a nod for neo-Nazi gangs to track them down and torture them.

    Patch the breach and the danger still exists. You have to be out of your frickin’ mind to be using Grindr while in Iran, Saudi Arabia, Kenya, Russia and all those other countries where they’ve passed anti-gay laws.

  • http://AMERICAblog.com/ John Aravosis

    I believe the guy who discovered it is.

  • pliny

    Hopefully someone with a rooted phone, decent knowledge of mock locations, and access to Google Translate is messaging these people to let them know they’re in danger…

© 2014 AMERICAblog News. All rights reserved. · Entries RSS