Introduction

Jodel is an anonymous social media app allowing you to broadcast short text posts and images to other users in a 10km radius. It doesn't have user names and the only information you see about other users is how close they are (“close”, “very close” and so on).

It is marketed towards students and combined with the anonymity, posts frequently are about sensitive/personal topics, sex and love and stuff like that.

I found some unofficial pages in the Internet that archive interesting threads and noticed there seems to be a user id which is hidden in the app itself so I started to investigate but it seems like they are semi-random and can't be used to connect users between different threads. I then got curious about the distance field returned with posts and replies and that's what this post is about.

tl;dr

You can locate Jodel users with a way better precision than the in-app information (i.e. “very close” is < 1km distance and the lowest indication available). From my testing I'd say I got locations somewhere in the range of 100m or so.

This works on posters (i.e. Jodels) as well as their replies. The latter also have a distance field but apparently showing that in-app is only available to some users. As I have been using the API directly I could locate people responding to posts just as well even though my mobile app doesn't have that feature yet.

How does it work

When you log in to Jodel, you specifiy your current location. For every post and reply you get a distance field which is an integer in the range 1-100. I haven't checked it too much but the numbers seem to correspond with kilometers distance. That fits the description of “very close” posts which are closer than 1km – and return a distance value of 1.

Now the trick is that this distance field is updated whenever you relog and update your own position, specified as latitude and longitude – or when you use the API you can just tell Jodel your new position directly.

This basically gives us an oracle that we can feed an arbitrary latitude/longitude pair, a post id for a post whose author we would like to locate and it returns a number between 1-100 describing the proximity.

So what we do is, we just feed positions into it until we get distance values of 1 so we have a 1km area where the target is, then just dissect that circle with further queries until the overlapping area is sufficiently small. There's probably smarter people who have great algorithms for how to do it but I was lazy so build an interactive tool for that.

For the netsec crew, feels a bit like Blind SQL I guess.

API access

The Jodel API isn't public but there are numerous reverse-engineered libraries available. I used a python lib called jodel-api, https://github.com/nborrmann/jodel_api for that

I wrote a bunch of tools to do the work, a few scripts to fetch current posts (so I can grab the post id) and replies (so I can grab reply ids for locating people responding).

For the main tool I decided I want a visual solution so I got myself a Google Maps API key and hacked together an HTML page which loads Google Maps, allows me to set markers and draw circles around them.

What I wanted was that I click on the map, it fetches the distance to a previously specified user/post id and then draws a circle. This way I could just click around on the map until I had a nice small intersection area in which the target would be.

Because I have really no clue about JavaScript and couldn't be bothered, I had to find a way to glue my python scripts to the hacked together Google Maps thingy.

So I wrote the ugliest piece of code I've ever written, added a small HTTP server to my python scripts and had the JavaScript talk to it via HTTP requests to have it fetch the distance from Jodel. There are JavaScript Jodel APIs but I'm not smart enough to use them.

As the saying goes, if it is stupid and it works it isn't stupid.

Picture time

This is what it looks like after manually locating a random user from my home town, same as above:

The markers carry the distance as returned from Jodel. The one on the left is just the location of Karlsruhe (lat/long). Basically I just click a bunch until I get close, then try to decrease the intersection area until I'm satisfied. You definitely could automate that and make it less shitty but it takes about a minute of clicking to locate anyone so I really didn't bother to automate this. It's not like I want to use that tool at all, it's creepy.

I've marked the area contained in all circles below. It quickly gets confusing when adding more circles but I could've gone further to make it more precise of course.

Or zoomed in:

That is pretty narrow. I tested it on my home and I got a location which was at most 100m off, instead of my home it looked like I should be at the next street corner, roughly. That's close enough to be uncanny.

Conclusion

I don't really know. I personally feel like this puts a damper on Jodel for me. I enjoyed talking about random, possibly personal stuff because nobody will know who I am, and at most should know I'm in a 1km circle. Especially for people who are further away the area is huge. For some Jodels I've tested it on, I could pretty much pin-point down suburbs of my hometown, something I never would've known from the closeness tag itself (matches pretty much the whole inner city for people far enough away).

Another thing I haven't mentioned above and is another issue: In a Jodel thread, replies contain a post id, as mentioned above. The thing is, that this ID is fixed for the whole thread. In the app you have no way to distinguish between replies unless it's the thread author (who gets a special mark). With API access you can identify all posts the same user posted. I also find this a bit iffy. Not because I want to troll or impersonate others in the same thread, but because now you have to be careful what you post in longer threads. Maybe a single reply cannot identify you, but all posts together might.

Solution

I don't really know either. The feature is part of the charm. As long as you get updated distance values if you change your own location, this “attack” is possible. I don't even need to spam a lot of requests to zone in on a target, so aggressive rate limiting would probably not even prevent it.

Not my problem though. I just wanted to see if it works and yup, it does.