Tinder dating app bug exposed millions of geolocations, and the company kept quiet about it

While the app may rely on geolocation to "match" a prospective dating partner, the last thing you'd want is a hacker knowing where you ended up that evening.

Image: Include Security

Online dating app Tinder for most of last year suffered a bug that would have allowed hackers to determine the exact location of its users.

Disclosed on Wednesday by information security firm Include Security, the company said the popular geolocation-based app, used often for finding dating matches and random hookups (hello, elephant in the room), put users at risk as a result of the security vulnerability.

If the app was running, the company said, anyone with knowledge could "get the exact latitude and longitude co-ordinates for any Tinder user."

The app is simple. You can see people within your close geographical location and "like" or "nope" them. If two people "like" each other, they can chat on their mobile devices.

Describing this as a "privacy violation" for the users of the popular app that's available for both Android and iOS devices, the company confirmed that "anyone with rudimentary programming skills could query the Tinder API directly and pull down the co-ordinates of any user."

From the API data, it was possible to triangulate the exact location of a user with a "very high degree of accuracy," specifically within 100 feet from the company's experiments.

In an FAQ on its disclosure blog post, the research firm warned that these flaws can be "common place in the mobile app space."

The bug was reported to the Tinder app maker immediately and was fixed between December and early January. However, the company did not disclose the vulnerability when it was privately reported.

Include Security's founder and managing partner Erik Cabetas said it was "not possible" for one Tinder user to know if another took advantage of the security flaw, but wanted the repercussions of this bug — considering its massive user base — was "pervasive."

We put in questions to Tinder but did not hear back at the time of writing.