I just found gay Grindr users in Iran, Brunei after Grindr “fixes” location problem

Only hours after gay smartphone app “Grindr” attempted to fix a glitch in its system that has already outed the exactly location of over 600,000 gay men in countries like North Korea, Iran, Russia, and Brunei, I was able to locate the exact position of dozens of gay men in Iran and Brunei, two of the most repressive anti-gay regimes in the world.

As you may recall, Grindr is an app that lets gay men find other gay men to date, befriend, or hook up with. The app works by finding your location, then showing you other gay men who are in your area.

While it does not show you where the other Grindr users are, it does show you their distance from you. However, it does not say which direction they’re in, making the distance revelation relatively safe, unless it’s for short distances like 100 feet.

Two weeks ago, a European Grindr user uncovered a glitch in the system that permitted anyone with an Internet connection to discover the exact location of any Grindr user online anywhere in the world.

As a result, I was able to locate the exact position of Grindr users in Russia, Iran, Brunei and anti-gay countries.

While Grindr’s only statement on the matter to date is that “we do not view this as a security flaw,” Grindr did turn off its location-disclosure functionality briefly last night, only to turn it back on again this morning.

The exact location of gay men currently on Grindr in Tehran, Iran, a country in which gay men are put to death. It appears, according to the anonymous Grindr user who uncovered the security breach, that Grindr is blocking the IP address of anyone attempting to find the exact location of its users. (Grindr is also requiring you to register a new account before massively violatig the privacy of their users.) But if Grindr thinks this is a sufficient fix, they might want to have a chat with the following gay men I just found in Tehran and Brunei. All you have to do, apparently, is create a new IP address and a new account, and voila, you’re in.

The following maps are zoomed out to protect the innocent. The detail of the map is down to the precise location on their street.

Brunei

The exact location of gay men currently on Grindr in Brunei, a country in which gay men can be stoned to death.

The exact location of gay men currently on Grindr in Brunei, a country in which gay men can be stoned to death.

Tehran, Iran

The exact location of gay men currently on Grindr in Tehran, Iran, a country in which gay men are put to death.

The exact location of gay men currently on Grindr in Tehran, Iran, a country in which gay men are put to death.


Follow me on Twitter: @aravosis | @americablog | @americabloggay | Facebook | Google+ | LinkedIn. John Aravosis is the editor of AMERICAblog, which he founded in 2004. He has a joint law degree (JD) and masters in Foreign Service from Georgetown (1989); and worked in the US Senate, World Bank, Children's Defense Fund, and as a stringer for the Economist. Frequent TV pundit: O'Reilly Factor, Hardball, World News Tonight, Nightline & Reliable Sources. Bio, .

Share This Post

  • caphillprof

    No but I think you all are pushing the nanny state way too far.

  • Drew2u

    You’re a libertarian, aren’t you.

  • caphillprof

    I guess we cannot assume they have any common sense, any personal responsibility

  • nicho

    Being gay does not equal being on a gay hookup web site. Grindr is the cyber equivalent of lurking in a public restroom looking for a blow job. It’s generally not a good idea. In a repressive dictatorship it’s a really bad idea. Gay people have lived for centuries without signing on to these obnoxious sex sites. Millions still do.

  • Drew2u

    What bothers me is the part in the log where it talks about dummy messages. I’ve noticed an increase of blank profiles saying “hi” and nothing else when I talk, except for an extremely fast, automated message when I say anything about a pic or a picture; which contains a link to an external site. Oddly enough I’ve received 4 of those dummy profiles since this announcement about the Grindr failure.:

    # 3 Sender spoof

    So far so good. The messages are not sent directly, but rather as JSON-Objects. It is at this point in which a sender-spoof can take place:

    You simply send a message to another grindr user’s ID (see profileId from #2b (locating guys on Grindr)) containing the following message:

    Only the intended target will have knowledge of the spoofed message. The “sender” user-ID used for the spoof will not receive a copy.

  • dcinsider

    Isn’t that the answer? If you don’t want your location known to other gay men and others who might have bad intentions, don’t advertise it on Grindr. There are other ways for gay men to meet, even in Iran I bet. Remember, it was almost as dangerous in the 1950’s for gay men in the US. Yet, these guys found each other without the assist of an app.

  • dcinsider

    I don’t see it as assigning fault so much as I see it about some level of common sense. You don’t walk into traffic. And for gay men in Tehran or Birmingham, you don’t expose yourself to danger unnecessarily. That’s not pretty it’s just reality.

  • Mike_in_the_Tundra

    There’s been a lot of talk about Grindr, but don’t forget it’s entertainment value:

    http://www.douchebagsofgrindr.com

    I really don’t understand the guy who said no 420 and the other guy who said no gingers. I think they’re making big mistakes.

  • Socius

    Just as a word of caution…it is possible and likely that Iran operates some of those accounts, in order to find sodomizers. They do the same with fake facebook accounts/friend requests. Also as a note…Iran has recently updated their rules regarding sodomy. Previously, both parties would be executed. Now, the party that takes it in the…bunghole…gets executed. The giver just gets lashed. Guess they figure a hole is a hole. :P

  • http://AMERICAblog.com/ John Aravosis

    That’s the concern the European guy who discovered this has, and the MIT guy I spoke with. Both agreed with Grindr, this IS a feature, not a bug. It’s not something that can just be turned off.

  • http://AMERICAblog.com/ John Aravosis

    Yes and no. If you live in a society where it’s illegal to be gay, illegal to have sex, illegal to ever fall in love, you might just try anyway. Yes, people should be careful. But I’m not entirely ready to fault some gay guy in Iran for trying to be gay.

  • http://AMERICAblog.com/ John Aravosis

    Exactly. I assumed that they were protecting our exact locations. And people can say that’s silly to expect some element of privacy, but people really do.

  • http://AMERICAblog.com/ John Aravosis

    The guy who discovered the breach is blurring the pics intentionally. In fact, what he found is that you can access the large photos that people upload – not just the itty bitty one you see on the app, but the huge 1000 x 1000 or whatever photo that some people upload. That’ll be a big help towards identifying hfolks.

  • http://www.rebeccamorn.com/mind BeccaM

    You have my sympathies, Drew, truly.

  • http://www.rebeccamorn.com/mind BeccaM

    Yeah, disable GPS too.

  • Brian C. Bock

    So the tool that is peeking at Grindr obscures the pictures of people by applying a blur filter. But this is done in the browser. So the unblurred pictures can be seen if you drag them or if you examine the document and look at the image assets of the page.

  • Kenster999

    Not just IP address — location! :)

  • mirror

    An ordinary not very tech savy person would assume an app advertised to support connecting with other gay men would have specific identity and location security built into the process as a foundational element.

    Yeah, sure, maybe even those who should know better haven’t approached using the app with the proper level of paranoia, but isn’t that what makes Grindr’s sloppiness and now calous indifference so pernicious? Playing on people’s fears by holding out the hope of reduced-danger social introduction, while failing to follow through on the most important element of the sales pitch.

  • caphillprof

    But as I recall, when you set up an account you have to turn on the location finder.

  • dcinsider

    Grindr, an app used to locate and murder gay men. Yeah, I’d download that one. I would definitely do it if I lived in Iran. Of course, you can murdered right here in the old US of A as well. Not sure Iran is that much different from parts of Alabama.

    In other words while the app may be invading privacy, the user needs to take a little of the blame, no?

  • Drew2u

    Your last paragraph easily applies to a pyramid-scheme seminar I was duped into attending last week, lol

  • Drew2u

    Depends on the education. Grindr certainly doesn’t advertise, “YOUR EXACT LOCATION WILL BE FINDABLE” and unless all 600,000+ affected users read the half-dozen or so English-language/based web posts in the past week, then how would they know? That’s sort of two strikes, right there, against their educated decision (Capitalism abhors an educated populace)

  • http://www.rebeccamorn.com/mind BeccaM

    There isn’t. But Grindr is like great big swimming pool, and they’re constantly advertising how wonderful it is, how there are all kinds of amazing and beautiful people to meet in there — “Jump on in!” — and they don’t say a single word about the fact the pool is actually filled with piranhas and water-snakes.

    It’s kinda hard to ‘take responsibility’ for yourself if you don’t know you’re in danger. And worse, have someone at your side kinda saying everything’s fine, don’t worry, this distance-to-user thingy actually makes you safer for hookups…

  • Drew2u

    “One implication of this technology is that data about a subscriber’s location and historical movements is owned and controlled by the network operators, including mobile carriers and mobile content providers. Mobile content providers and app developers are a concern. Indeed, a recent MIT study by de Montjoye et al. showed that 4 spatio-temporal points, approximate places and times, are enough to uniquely identify 95% of 1.5M people in a mobility database.” – wikipedia’s entry on LBS

    Also, the Location Privacy Protection Act of 2012 (S.1223) which addresses some, but not all issues regarding LBSes, died in the Senate in, of course, 2012.

  • caphillprof

    Don’t gay men have to take responsibility for themselves? Especially in repressive countries? Is there something that prevents gay men from turning off the Show Distance in the Privacy setting?

  • http://www.rebeccamorn.com/mind BeccaM

    The only permanent fix is to disable location services for any Grindr user whose IP is located in countries where being gay is illegal, like Brunei and Iran. It wouldn’t stop the all-too-easy spoofing of IPs…but it would extend some protection to all those users out there who are apparently too blithely ignorant of the danger they’re putting themselves in by using Grindr.

  • Indigo

    No kidding. Sigh.

  • Rambie

    Users can disable their location sharing in settings. This will prevent your location from showing up on the map. I’ve tested this myself out of curiosity.

  • http://www.americablog.com/ Naja pallida

    I really don’t see how they can ever actually fix this, as long as they have any kind of relative distance feature. The only sound option, is like nicho said in the previous thread, stop using the app. I just find it interesting that it has thus far not been exploited, given that Grindr is ~5 years old now and the possibility has always been there.

© 2014 AMERICAblog News. All rights reserved. · Entries RSS