Popular gay dating app Grindr faces creepy security breach allegations

The wildly popular gay dating app “Grindr” is facing accusations that a glitch in its system is giving away the actual location of its users to anyone with a Web connection.

The charge, first reported by NDTV — which I tested and found to be accurate — is that someone not even signed in to the phone/tablet application can find the location of any Grindr user to within about 100 feet.

Among the locales in which gays were detected by my test of the security breach: Turkey, Jordan, the British House of Commons, and the DC headquarters of the Republican National Committee.

(Update: Using the Grindr security glitch, I just found three gays in Kampala, Uganda; and a colleage found two inside the Russian state Duma (parliament), and one inside the Kremlin itself.)

(Update: The security glitch has now exposed the locations of nearly 200 gay men in Iran, a country in which gay men are hanged.)

Grindr has responded, claiming that the ability to identity the location of its users isn’t a security flaw, but rather, something they intended all along.  That claim might come as a surprise to Grindr’s users, who, like me, probably had no idea that they were divulging their exact location to anyone.

Online privacy while gay

Now, why would knowing someone’s location be a problem?

First, there’s personal safety. Sometimes you just don’t want everyone knowing where you live, especially strangers you chat with online.

Second, sometimes you value your anonymity because you’re not “out.” Many gay people are not out of the closet, either because they just aren’t comfortable having everyone know they’re gay, or because they live somewhere where it’s not safe being gay (such as Russia, Africa, certain parts of America, etc.)  They could also be a minor who’s not out to their parents.

How Grindr determines location

Many Grindr users give permission for their general location to be known to other Grindr users – and I emphasize “general.” Depending on the options the user selects, the app will show the distance in feet, meters, miles or kilometers between the user and any other nearby users.

For example, here’s someone 2 miles away from me. Note that while Grindr tells me the person is 2 miles away, I get no additional information as to where they’re located, so I really have zero idea where the person actually is. I can’t even guess what town he’s in, as there are probably 3 towns within that distance from where I am:

grindr

But while the app shows that you’re, say, “1000 feet” from a nearby user, it does not show the direction of the other user. Thus, while you know that he’s 1,000 feet away, he could be north, south, east, west, or anywhere in a 360 degree arc; making it impossible to know where he actually is.

The “flaw,” however, uses triangulation to permit anyone to determine the actual location of that user within around 100 feet.  And as one reader notes below, that’s all you need to out someone, especially someone who lives in a rural area:

Wow, I just tried this on myself. I’m currently in a very rural area, and it pinpointed to my exact location. Because there’s no address anywhere near 100 feet of me, anyone can find exactly where I am.

Very alarming! I’m not closeted and don’t generally feel threatened here. But for any homophobe or sociopath to be able to anonymously determine how to get to my front door or window is very disturbing… I’ll likely discontinue Grindr until I see this resolved.

I tested the triangulation via a Web site posted by an anonymous person. The site permits you to zoom in on a map of the US or Europe and find which Grindr users are online, and where they’re located on the map. In my case, the Web site was able to find me on a map within 100 feet of my actual location. (I tried other continents, but was unsuccessful.)

In contrast to some reports online, when I turned off the “show distance” setting in Grindr, my blue dot did in fact disappear from the Web page. It then came back when I turned “show distance” back on.

Examples of locations of Grindr users

Here are some examples of Grindr users the site was able to find in the US and Europe.

Here’s Chicago’s downtown:

downtown-chicago

Here’s the neighborhood just south of Paris’ Place de la République:

paris

Here’s Malta:

malta

And Palermo, Sicily:

palermo
And Turkey (I’m intentionally not zooming in all the way, so it’s not entirely clear where these people are):

turkey

 

And Jordan (intentionally blurred):

jordan

Israel and Gaza:

Israel-gaza

And here’s Moscow, just north of Red Square (I obscured the exact locations):moscow

Here’s Kyiv, Ukraine:kyiv

Here are the US Senate office buildings, circled in red:senate-and-congress

And here are the US House office buildings:US-house-

And here’s someone “working” late in the British House of Commons:house-of-commons-better

And here’s, apparently, an intrepid employee of the Republican National Committee in Washington, DC.rnc-dc

Grindr says it’s not a bug, it’s a feature

Per Joe My God, Grindr has apparently responded to the concerns, saying that this isn’t a security flaw:

“We don’t view this as a security flaw. As part of the Grindr service, users rely on sharing location information with other users as core functionality of the application and Grindr users can control how this information is displayed. “For Grindr users concerned about showing their proximity, we make it very easy for them to remove this option and we encourage them to disable ‘show distance’ in their privacy settings. “As always, our user security is our top priority and we do our best to keep our Grindr community secure.”

Well, that’s a bit disingenuous.

When I’ve used Grindr, or any online app that estimates my distance to another user, I never imagined that someone could use the app to find my actual location within 100 feet. So when Grindr users make a decision as to whether to “show distance,” they’re not necessarily making an informed decision to “show location” as well.

And I seriously doubt that any Grindr users were aware that showing their near-exact location (and to someone who doesn’t even have an account on Grindr and isn’t even signed in) was a “core functionality of the application.”

It’s actually kind of creepy.

Also note that the not-a-bug doesn’t just show anonymous blue dots. It shows you the name and picture associated with the user’s profile, when you click the blue dot.  For example, here’s Chicago again, when I clicked on the blue dot at Wabash and Monroe:

chicago-grindr-pic

Personally, I find Grindr’s answer disturbing.  I don’t sign in to Grindr in order to let people track my near-exact location as I move around town, and I doubt most of Grindr’s users do either.  Especially Grindr’s users in Russia, Africa, and lots of other places where it’s downright deadly to be gay.

I’m also awfully curious how this comports with Europe’s notoriously strict privacy laws.

This is a security flaw, and it needs to be fixed now.


Follow me on Twitter: @aravosis | @americablog | @americabloggay | Facebook | Google+ | LinkedIn. John Aravosis is the editor of AMERICAblog, which he founded in 2004. He has a joint law degree (JD) and masters in Foreign Service from Georgetown (1989); and worked in the US Senate, World Bank, Children's Defense Fund, and as a stringer for the Economist. Frequent TV pundit: O'Reilly Factor, Hardball, World News Tonight, Nightline & Reliable Sources. Bio, .

Share This Post

  • babbo natale

    I think the author did not see the point of all this. Knowing your distance from any point is equivalent to knowing your position. This is simple math. You just need to know the distance from 3 different not aligned positions. And this is true for any app showing your distance. Actually, even if an app does not show distance, but only show surrounding users in distance order, the computation of the position can be made (by faking one more reference profile, and making many more requests). Only thing the developers can do to reduce this is to prevent too many fake requests. But you cannot get rid of this (unless you change geometry)

  • RDU06

    Everyone who thinks they’re smart by commenting about how this is how it’s supposed to work, is just ignorant. No dating, hooking up, or similar site is supposed to pinpoint the location of a user. No “straight” online dating site introduces strangers and hands over the person’s address with a map to go and murder them, nor does anyone go on a site, gay or straight, with the understanding that their location is being provided to complete strangers. Grind’r’s response is an irresponsible and misguided lie to cover up their gigantic security flaw. If anyone were murdered because the app revealed their location, Grind’r would be front and center in a massive lawsuit. I wouldn’t be surprised if they’re about to be served for violation of privacy, frankly.

  • Brian

    Your phone is a computer, and you are online. Anything and everything you do online can AND WILL be recorded, tracked, and has the potential to be made public knowledge. If you want privacy, shut your phone off and talk to someone in person and in private. Anything beyond that and your identity is compromised. Not out? Stay off the apps. Are you a minor? Stay off the apps. Living or visiting an area where we are persecuted? Stay off the apps.

    Be governed accordingly.

  • http://AMERICAblog.com/ John Aravosis

    Sure. The Russians are using VK.com to entrap gays as well.

  • http://AMERICAblog.com/ John Aravosis

    Not really “duh.” Grindr is an app that lets you see the relative distance from other people, but hides where you are for your own safety. Except it doesn’t. In a million years I never imagined that it was easy for anyone to figure out where I, and every other online Grindr user, is at any one time, WITHOUT hacking Grindr’s servers. I think folks who see this as a “duh” story aren’t fully understanding how for most of us, even though of us who aren’t morons, this was not obvious. And thus, Grindr users won’t protect themselves by turning the distance setting off, because they won’t have foreseen the danger.

  • JoeMelrose

    This is not new. I remember an article several years ago about a police department somewhere using a gay dating app or website to entrap gay men (and I think it was post-Bowers, so not that long ago). Before the digital age some homophobic police departments bought and used the old published guides to cruising spots to entrap men. I am mixed-bemused-concerned-and-saddened (what’s the word for that?) when I hear gay men act like everyplace is like LA, SF or NY. There’s a whole other world out there.

  • JoeMelrose

    Well, duh. How did anyone not see this coming? Grindr is by definition an app that finds other Grindr users. It never occurred to anyone that someone might use it for non-hookup purposes?

    BTW I despise all the so-called “social” media and always have. They are really making people anti-social.

  • http://AMERICAblog.com/ John Aravosis

    Grindr? I hardly knew her! Thank you, thank you, I’ll be here all week.

  • http://AMERICAblog.com/ John Aravosis

    No, what I find odd is the people who say “I am NOT looking to hook up,” clearly annoyed about it, and their profile photo is xrated :)

  • http://www.rebeccamorn.com/mind BeccaM

    There are lots of exhibitionists out there who like to fish for what they hope will be compliments…

  • http://www.rebeccamorn.com/mind BeccaM

    Thanks Rerutled. I’m not disagreeing with you. The Grindr situation is far, far, FAR more serious than 4sq or any of the other location-based security breaches. Basically, any government or any individual or group of individuals — including murderous thugs like Russia’s “Occupy Pedophilia” — could access Grindr’s users and locate them. Without even joining Grindr (a distinction that really doesn’t make that much of a difference in the end).

    All I was trying to point out is the already known dangers involved with the proliferation of location-sharing — and the almost criminal level of blithe carelessness on the part of the companies promoting these services.

    But as for whether the NSA or their hired B&H contractors could’ve just accessed 4sq or any other location-sharing service to find all users and their IDs? I should think the Snowden leaks would’ve made it clear by now that if they didn’t already have that capability, it would certainly be on their Santa list.

  • Indigo

    I don’t Grindr. That’s for smart phones and my phone’s just a phone . . . and lousy camera.

  • Indigo

    That’s what they claim on the television machine. ;-)

  • http://AMERICAblog.com/ John Aravosis

    Retutled is good peeps, I know him. So is Becca, btw – she wasn’t trying to undercut us on this.

  • rerutled

    1) No other app in the world has ever permitted this; (2) Even if 4sq had a “security hole” which, in one way, was similar to this, grindr says “this is NOT a security hole — we intend to do this.”

    For example: at no time was there any query that anyone at, say, the NSA could make for 4sq which says “Show me all users right now within 1 mile of Harvard Square.” And get back a complete listing, with locations accurate to 100 feet, and pictures of the people involved. You can do that with grindr’s wide open server; and grindr says “we intended this functionality, and we will keep it open.”

    So, no, I don’t think you do understand how these things work.

    EDIT: Becca is *VERY* good peeps – I’ve interacted with her before. But she has this situation wrong, in its relative seriousness.

  • http://heimaey.tumblr.us heimaey

    I see that a lot too. I also get a lot of judging because I’m in an open relationship. Oh you’ve just shown me your ass and you doing all sorts of other things, but you are just shocked to see that I have a bf and can’t understand why I’d cheat (which I’m not).

  • http://www.rebeccamorn.com/mind BeccaM

    For a time, Foursquare had a similar security loophole. Just because it was not EXACTLY the same does not mean there were no similarities whatsoever.

    I’ve worked in technology a long time, Rerutled, and in networking tech for going on three decades now. I do understand how these things work.

  • http://AMERICAblog.com/ John Aravosis

    It showed my location as being right across the street from where I am. I’m estimating 100 feet, could be less, as it was right across the street from me.

  • http://AMERICAblog.com/ John Aravosis

    Yeah, I’ve always found that odd too.

  • http://AMERICAblog.com/ John Aravosis

    Elvis is about to leave the building :)

  • rerutled

    Becca: I don’t think you understand the difference between 4sq’s functionality, and what John describes here.

    Anyone — not someone using grindr, absolutely anyone — with an internet connection can obtain a complete mapped location of every single grindr user in the entire world, accurate to 100 feet, complete with attached picture. It’s a simple, uncredentialed JSON query with a location, and the return values are all those grindr users within some distance (or limited by a maximum number). An automated program could track every grindr users’s whereabouts, log their history of locations. It’s like what cell phone companies do to you, except instead of that information only being available to your cell phone company, it’s available to *everybody in the entire world*.

    There is no other app in the world which has ever permitted this.

  • http://www.rebeccamorn.com/mind BeccaM

    This is actually a problem with many apps out there that share your location. I remember a few years ago a big dust-up with Foursquare, the app where you ‘check in’ to a location.

    It was billed then as a potential tool for burglars (they’d know you weren’t home), as well as stalkers and rapists (they could find you…including times when you were likely to be alone). Worse, they had these campaigns where if you checked in X number of times at a given restaurant or shop, you’d get some freebie, like a coffee or something. Thus providing incentive not to opt out.

    Although some apps let you turn off the “tell everyone where I am” function, often they’re buried or otherwise make the application unusable. Or, as in the Guardian story from 2010, for a time it didn’t matter what your Foursquare settings were — anybody could find anybody.

    http://www.theguardian.com/technology/2010/jul/23/foursquare

    Unfortunately for the users, turning off the “find me” feature often renders the given app useless. Then again, the business model around most of these services is selling the personal and marketing data given willingly by users…

  • why_not_now

    Sad am I.

  • nicho

    Well, see, you failed even there.

  • why_not_now

    I was trying for nano second turnaround.

    Sigh.

  • nicho

    It was a joke. Sigh. But you do get points for going from zero to pissy snark in 10 seconds or less. Sigh

  • nicho

    My peeve is “I’ve met the man of my dreams. We’re really truly in love. I’m not looking to hook up. Just here to chat with old friends. So here’s two pictures of my dick and a picture of my ass.”

  • why_not_now

    I never stated I wanted someone to date.

    I simply stated that it is a sex app and not a dating app/

    Reading comprehension is not strong with you.

    Sigh.

  • nicho

    A “stranger” is just a person you haven’t screwed yet.

  • nicho

    If you want to find a nice gay person to date, go to Christian Mingle. :-) There’s plenty of them there.

  • nicho

    Yeah, but even that won’t stop some homophobe, gay basher, or local busybody from joining Grindr and still smoking you out. I grew up in a small city. I knew women whose entertainment for an evening was to drive around to the AA meeting and see if they recognized any cars.

  • Rambie

    But Nicho, I was raised not to talk to strangers! ;)

    Just in case it’s needed: *snark*

  • Rambie

    Site is dead now I think, it’s not working.

  • why_not_now

    It is a sex app, not a dating app.

  • http://AMERICAblog.com/ John Aravosis

    My peeve is “looking?” as an intro.

  • http://heimaey.tumblr.us heimaey

    Here’s my experience on grindr:

    Me: hi
    them: face pic?
    Me: sure

    Then one of these:

    them: no thanks, bye
    them: big dick?
    them: fuck off
    them: now? u host?

    Then little else happens. I find it to be the rudest people on earth.

  • nicho

    Headline needs editing. Should read:

    Popular creepy gay dating app Grindr faces security breach allegations

    Sites like these are ruining gay social life. You have a bunch of guys staring at Grindr, meeting no one and thinking they have a social life.

    I was in a bar in SF one night. There were a lot of hot guys in there. half of them were on Grindr trying to hook up with people who were at home pretending to be someone they’re not. Hey, guys, put down the phone, talk to the person next to you. Who knows. You might not score, but you might make a new friend — or meet someone who will introduce you to someone.

  • http://AMERICAblog.com/ John Aravosis

    You know, I was going to mention the issue of being in a rural area, and being the only ouse for blocks, or miles, and then didn’t. I should have. Just added it, and your comment, above.

  • SuperGuest

    Wow, I just tried this on myself. I’m currently in a very rural area, and it pinpointed to my exact location. Because there’s no address anywhere near 100 feet of me, anyone can find exactly where I am.
    Very alarming! I’m not closeted and don’t generally feel threatened here. But for any homophobe or sociopath to be able to anonymously determine how to get to my front door or window is very disturbing… I’ll likely discontinue Grindr until I see this resolved.

© 2014 AMERICAblog News. All rights reserved. · Entries RSS