Blog Post

Report finds dating app Tinder didn’t come clean about its privacy flaw

Dating and hookup app du jour Tinder, which recently expanded to Android after becoming a hit on the iPhone, has found itself backpedaling on a privacy snafu that was apparently more serious than the company initially let on.

Quartz‘s Zach Seward reported Tuesday that the app’s API, which tell users the first names of singles who are within a given radius of them, served up more detailed location information that would have allowed the users to track down their semi-anonymous paramours via Facebook.

With the right hack, information about a specific user’s last known approximate latitude and longitude as well as his or her Facebook ID  (Tinder uses Facebook to pull information about a user’s hobbies and interests as well as connect friends-of-friends) could be prominently displayed. With that information, a hacker could find a user’s real last name, social presence on other sites, and even track down the user based on known locations.

When asked for comment, Tinder CEO Sean Rad admitted the mistake to Seward and offered an explanation:

A Tinder app for Android phones was released last week, and Rad attributed the security issue to code written for the app’s release. He couldn’t provide a precise timeline of when the issue began and when it was fixed, but said it was a matter of hours.

But what appeared to be a tidy resolution was not quite as cut and dried. Seward reported Wednesday that instances of the security flaw appeared as early as July 8, when independent software engineer Mike Soares discovered the issue and emailed the company. Soares didn’t get a response from Tinder until July 15, when the company replied to say the issue would be fixed that day. Seward notes that the same problem cropped up again, and the company attributed the reappearance to a code release related to the Android app. All of this happened before the breach that Seward initially reported.

Tinder didn’t tell users about the security flaw before Seward’s report — and even struck a defensive posture on Twitter after it became public. Seward, meanwhile, says that Tinder’s API’s still has information in it that is too sensitive.