Cyber-security researchers working with the BBC showed that security flaws in Grindr, Romeo and Recon allow others to track users to their precise locations, something that could endanger users. And this isn’t the first time Grindr has had this exact problem.
Even worse, the BBC reports, when researchers told the companies about this flaw, only Recon made changes to stop it — Grindr and Romeo reportedly did not.
“This problem and the associated risks have been known about for years but some of the biggest apps have still not fixed the issue,” the BBC reports.
Here’s how the flaw works: Using a process of “trilateration,” if Grindr shows someone as 650 feet away, then you can draw a circle with a 650-foot radius and know that the user is somewhere on the perimeter of that circle. Then, if you move to two other locations and do the same thing, you can more or less pinpoint where the man is, like this:
An example of “trilateration” (image via BBC)
You don’t even need to leave the house to do this. According to the BBC, “Researchers from the cyber-security company Pen Test Partners created a tool that faked its location and did all the calculations automatically, in bulk…. The researchers were able to generate maps of thousands of users at a time.”
When confronted with this info, Grindr told the BBC, “[Users have the option to] hide their distance information from their profiles. [Grindr obfuscates location data] in countries where it is dangerous or illegal to be a member of the LGBTQ+ community.”
But researchers said it was possible to figure out someone’s location even if users hid their distance info. And even though it’s not “dangerous or illegal” to be gay in the U.K. where this research was conducted, “It leaves their users at risk from stalkers, exes, criminals and nation states,” Pen Test Partners said.
This is particularly worrying seeing as some criminals in the U.S. are already using the app to target, rob and beat up gay and bi men.
Romeo didn’t reply to the BBC’s request for comment. Scruff and Hornet both have tech which protects its users’ locations from being calculated.