If you are looking for a date, Tinder is pretty neat. If you are concerned about your privacy, it is less than ideal. We discovered that Tinder’s Groups feature allows users to track their Facebook friends. To shed light on this privacy issue and show why it is problematic, we built a Chrome plugin to stalk our friends and pinpoint their location. Although this blog post is focused on Tinder, this issue is widespread and can be found in every application using location in a similar fashion. We decided to focus on Tinder based on its popularity and the fact that its users do not seem to be aware of the risks.

This is not the first time privacy has been discussed, but it has not received the attention it deserves. Credit to others follows.

Note: Prior to publishing this write-up, we contacted Tinder. The Tinder Groups feature was removed soon after, but it is impossible to say whether this was related to the findings described below. The privacy issue, however, still exists.

What we did and what can happen

Any one of your Facebook friends – your partner, your boss or just your over-protective mom – can see you as a dot on a map, whenever they like, updated live. Every person you match with on Tinder can do this as well. Sounds a bit creepy? It should. However, the scenario described above is reality if you are using Tinder Groups.

Even if you are very strict about your Facebook friends and only befriend those you trust with your location, are you sure that they have not been hacked? If someone hacked any of your friends’ accounts they would gain the ability to stalk you. We demonstrated all this by building a Chrome plugin that exports all your Facebook friends’ Tinder User IDs if they are using Tinder Groups. Bundled together with this is the ability to track a user based on the user ID. The end result is a user-friendly plugin that can be operated by anyone.

A further development of the plugin, left as an exercise for the reader, would be to make one big map with a dot for each and every one of your friends, constantly updated with data from Tinder.

Initial look at the API

Tinder has no official API, but the mobile application’s traffic is easily sniffed. With Burp running on a laptop nearby, all we had to do was install Tinder on a phone, proxy all traffic through the laptop and start to listen. No cert-pinning or similar techniques to keep in mind. There is also unofficial documentation on Github if you want a head start.

Soon after logging in to Tinder all the API requests can be seen flying by. Looking at this, it becomes clear that the API was once very verbose, something Tinder later tried to fix. Age is sent as a fake date of birth that then is calculated client-side, everyone seems to have been last active in 2014, and so on. Placeholders cover a lot of data points and we became curious about what we would have found had we looked into this earlier.

However, a few of the existing endpoints got our attention:

Endpoint What it does /group/friends Retrieve the information about which Facebook friends are using Tinder Groups together with their Tinder User ID. /user/[userid] Get available information about a user ID. One of the data points is the distance from you to the target. /user/ping Send lat and lon-coordinates here to change your location.

* As mentioned above, /group/friends no longer exists.

In each request to the API some information such as authorisation tokens and installation ID is sent. During the debugging part this is not a problem, but it makes creating a user-friendly PoC harder.

We missed it in the beginning of this project, but Tinder actually has a web version as well. This becomes very handy here, as we can let the original web app deal with the whole authorisation part and then just use the token. As the token was saved in localStorage it can be retrieved with JavaScript:

localStorage.getItem("TinderWeb/APIToken")

This makes creating a PoC very easy. The web version is more limited than the mobile application, but we can use the token from web with the endpoints from mobile, so this is not a problem in our case.

As there is a web version we can use the “copy request as curl” in Chrome network view to save some time instead of using Burp when doing some smaller checks. Nothing dramatic, but a trick to keep in mind.

Tinder Groups

It must be noted that Tinder Groups is opt-in. Not everyone who uses Tinder uses Tinder Groups. The privacy issue described below has been reported to Tinder before, but Tinder responded that the Groups feature is opt-in. However, many Tinder users we asked did not know they had enabled the feature, so it can clearly be done unintentionally.

To see if you are affected, open Tinder and navigate to Tinder Groups. If this works, the feature is enabled and you can disable it in settings. If Tinder Groups is not enabled, the app will prompt you to enable the feature and you can, of course, politely decline.

Internally, Tinder Groups seems to be called Tinder Squads. References can be found in code and endpoints. Just wanted to mention that somewhere…

As mentioned before, the /group/friends-endpoint discloses your Facebook friends who are using the feature, along with their Tinder User IDs. Requesting this information is as easy as shown below:

function getFriends() { var xhr = new XMLHttpRequest(); xhr.open("GET", "https://api.gotinder.com/group/friends", true); xhr.onload = function () { parsed = JSON.parse(this.response); for (i = 0; i < parsed.results.length; i++) { add(parsed.results[i].name + " : " + parsed.results[i].user_id); } }; xhr.setRequestHeader("x-auth-token", localStorage.getItem("TinderWeb/APIToken")); xhr.send(null); }

The plugin in action, running the code above.

With the Tinder User IDs of our Facebook friends we are able to request all public information about their profiles. This is the data you normally see when matching with someone: all pictures, bio, age, distance, and so on. This information is interesting, but not sensitive. It is also considered public, but you might not expect your friends to get hold of it.

Triangulate users

Now we are getting to the good stuff. Looking back at the API documentation we see that one of the endpoints allows us to change our location, and another one to get the distance between us and the target (although we doubt Tinder would be comfortable with the word ‘target’). See where this is taking us?

Max Veytsman showed the possibility to triangulate Tinder users back in 2014, long before Tinder Groups. By using three different locations and measuring the distance from each we are able to pin-point/triangulate the user.

There seems to be some kind of protection in place against quickly changing your position, but it is not documented and we never figured out exactly how it works. One time we were able to jump between countries within seconds and everything worked out fine, but for the most part you get a error back when you change the location too quickly. Some more guesses, but no absolute facts, can be found on discussion boards online.

There is a premium Tinder feature that allows the user to manually set the location. This might render triangulation more efficient.

When Max Veytsman pointed this out back in 2014 Tinder used a float (a number with decimals) for distance, meaning you could get an exact distance by triangulating a user. In response to his findings they changed it to an integer. Had they stopped there it would still be possible to get an exact position by increasing the distance a bit each time until the counter changes to the next integer. However, we could not do this, which makes us think some kind of arbitrary distance preventing this type of triangulation has been implemented. As a result, our accuracy in triangulating a user is limited to about a kilometer for now, but it cannot be ruled out that higher accuracy could be acquired if some more time were spent on figuring this part out.

The result of the triangulation can be found in the introduction of this blog post, and it should be fairly obvious how it was done. This method still works at the time of writing and will probably continue to work for long.

What is the solution?

What you can do

Make sure Tinder Groups is not enabled. This will prevent Facebook friends from finding out your Tinder User ID as easily, but it does not do anything against the tracking issue.

If your location being publicly disclosed is a problem – delete the app.

What Tinder can do

They could have made our research harder, but they could not have stopped it. For their business model to work, the location needs to be exposed publicly, always allowing for these kinds of tricks to be pulled.

We did not spend enough time playing around with the distance, but it would be possible to make it even more accurate with some statistical analysis of multiple requests. However, it seems like Tinder has actually tried to hide the location as much as can be expected from them.

Trying to be a bit philosophical

As this issue can never be fully protected against anyway, maybe the right answer is to not obfuscate anything? Security by obfuscation and all that. Trying to hide the information creates a false sense of privacy for the user.

Maybe the general public is okay with this, and those who care are in the minority? When Snapchat released their map feature people jumped aboard with little to no hesitation, sharing their exact location with anyone willing to stalk them. We talked to some of our Facebook friends we found on Tinder and can confirm that not everyone is happy to be stalked.

The point we are trying to make here is that there are no existing solutions to this but to spread awareness. If you believe your privacy is worth less than the possibility of a Tinder date, then for all means go ahead and continue using apps like these, but you should have a chance of knowing what you are doing.

Linus Särud Fredrik Almroth

@_zulln @almroot