Popular gay dating app Grindr faces creepy security breach allegations

The wildly popular gay dating app “Grindr” is facing accusations that a glitch in its system is giving away the actual location of its users to anyone with a Web connection.

The charge, first reported by NDTV — which I tested and found to be accurate — is that someone not even signed in to the phone/tablet application can find the location of any Grindr user to within about 100 feet.

Among the locales in which gays were detected by my test of the security breach: Turkey, Jordan, the British House of Commons, and the DC headquarters of the Republican National Committee.

(Update: Using the Grindr security glitch, I just found three gays in Kampala, Uganda; and a colleage found two inside the Russian state Duma (parliament), and one inside the Kremlin itself.)

(Update: The security glitch has now exposed the locations of nearly 200 gay men in Iran, a country in which gay men are hanged.)

Grindr has responded, claiming that the ability to identity the location of its users isn’t a security flaw, but rather, something they intended all along.  That claim might come as a surprise to Grindr’s users, who, like me, probably had no idea that they were divulging their exact location to anyone.

Online privacy while gay

Now, why would knowing someone’s location be a problem?

First, there’s personal safety. Sometimes you just don’t want everyone knowing where you live, especially strangers you chat with online.

Second, sometimes you value your anonymity because you’re not “out.” Many gay people are not out of the closet, either because they just aren’t comfortable having everyone know they’re gay, or because they live somewhere where it’s not safe being gay (such as Russia, Africa, certain parts of America, etc.)  They could also be a minor who’s not out to their parents.

How Grindr determines location

Many Grindr users give permission for their general location to be known to other Grindr users – and I emphasize “general.” Depending on the options the user selects, the app will show the distance in feet, meters, miles or kilometers between the user and any other nearby users.

For example, here’s someone 2 miles away from me. Note that while Grindr tells me the person is 2 miles away, I get no additional information as to where they’re located, so I really have zero idea where the person actually is. I can’t even guess what town he’s in, as there are probably 3 towns within that distance from where I am:

grindr

But while the app shows that you’re, say, “1000 feet” from a nearby user, it does not show the direction of the other user. Thus, while you know that he’s 1,000 feet away, he could be north, south, east, west, or anywhere in a 360 degree arc; making it impossible to know where he actually is.

The “flaw,” however, uses triangulation to permit anyone to determine the actual location of that user within around 100 feet.  And as one reader notes below, that’s all you need to out someone, especially someone who lives in a rural area:

Wow, I just tried this on myself. I’m currently in a very rural area, and it pinpointed to my exact location. Because there’s no address anywhere near 100 feet of me, anyone can find exactly where I am.

Very alarming! I’m not closeted and don’t generally feel threatened here. But for any homophobe or sociopath to be able to anonymously determine how to get to my front door or window is very disturbing… I’ll likely discontinue Grindr until I see this resolved.

I tested the triangulation via a Web site posted by an anonymous person. The site permits you to zoom in on a map of the US or Europe and find which Grindr users are online, and where they’re located on the map. In my case, the Web site was able to find me on a map within 100 feet of my actual location. (I tried other continents, but was unsuccessful.)

In contrast to some reports online, when I turned off the “show distance” setting in Grindr, my blue dot did in fact disappear from the Web page. It then came back when I turned “show distance” back on.

Examples of locations of Grindr users

Here are some examples of Grindr users the site was able to find in the US and Europe.

Here’s Chicago’s downtown:

downtown-chicago

Here’s the neighborhood just south of Paris’ Place de la République:

paris

Here’s Malta:

malta

And Palermo, Sicily:

palermo
And Turkey (I’m intentionally not zooming in all the way, so it’s not entirely clear where these people are):

turkey

 

And Jordan (intentionally blurred):

jordan

Israel and Gaza:

Israel-gaza

And here’s Moscow, just north of Red Square (I obscured the exact locations):moscow

Here’s Kyiv, Ukraine:kyiv

Here are the US Senate office buildings, circled in red:senate-and-congress

And here are the US House office buildings:US-house-

And here’s someone “working” late in the British House of Commons:house-of-commons-better

And here’s, apparently, an intrepid employee of the Republican National Committee in Washington, DC.rnc-dc

Grindr says it’s not a bug, it’s a feature

Per Joe My God, Grindr has apparently responded to the concerns, saying that this isn’t a security flaw:

“We don’t view this as a security flaw. As part of the Grindr service, users rely on sharing location information with other users as core functionality of the application and Grindr users can control how this information is displayed. “For Grindr users concerned about showing their proximity, we make it very easy for them to remove this option and we encourage them to disable ‘show distance’ in their privacy settings. “As always, our user security is our top priority and we do our best to keep our Grindr community secure.”

Well, that’s a bit disingenuous.

When I’ve used Grindr, or any online app that estimates my distance to another user, I never imagined that someone could use the app to find my actual location within 100 feet. So when Grindr users make a decision as to whether to “show distance,” they’re not necessarily making an informed decision to “show location” as well.

And I seriously doubt that any Grindr users were aware that showing their near-exact location (and to someone who doesn’t even have an account on Grindr and isn’t even signed in) was a “core functionality of the application.”

It’s actually kind of creepy.

Also note that the not-a-bug doesn’t just show anonymous blue dots. It shows you the name and picture associated with the user’s profile, when you click the blue dot.  For example, here’s Chicago again, when I clicked on the blue dot at Wabash and Monroe:

chicago-grindr-pic

Personally, I find Grindr’s answer disturbing.  I don’t sign in to Grindr in order to let people track my near-exact location as I move around town, and I doubt most of Grindr’s users do either.  Especially Grindr’s users in Russia, Africa, and lots of other places where it’s downright deadly to be gay.

I’m also awfully curious how this comports with Europe’s notoriously strict privacy laws.

This is a security flaw, and it needs to be fixed now.


Follow me on Twitter: @aravosis | @americablog | @americabloggay | Facebook | Instagram | Google+ | LinkedIn. John Aravosis is the Executive Editor of AMERICAblog, which he founded in 2004. He has a joint law degree (JD) and masters in Foreign Service from Georgetown; and has worked in the US Senate, World Bank, Children's Defense Fund, the United Nations Development Programme, and as a stringer for the Economist. He is a frequent TV pundit, having appeared on the O'Reilly Factor, Hardball, World News Tonight, Nightline, AM Joy & Reliable Sources, among others. John lives in Washington, DC. .

Share This Post

© 2018 AMERICAblog Media, LLC. All rights reserved. · Entries RSS