Read on Twitter
Follow this cozy thread for a story of how I found the address of someone 7600 kilometers away from me with a 20-to-50 meter accuracy in just 5 minutes, using a dating app that's used by over 5 million people worldwide.
#Infosec #Ethical #Hacking #EFF #Privacy #Illusion
#Infosec #Ethical #Hacking #EFF #Privacy #Illusion
Disclaimer(s):
I am not the first person who has done this; All of this happened in the spur of the moment, without doing _any_ kind of research. It was a personal journey for entertainment and education, and my 'target' (A friend) fully consented to this.
I am not the first person who has done this; All of this happened in the spur of the moment, without doing _any_ kind of research. It was a personal journey for entertainment and education, and my 'target' (A friend) fully consented to this.
0/0
About the App
App asks for location access, and then lets you make a profile w/ image and text
You will then be presented with a view of other users, all sorted by what appears to be a mix of distance and 'last seen', some users have a distance indication (i.e: 2km)
About the App
App asks for location access, and then lets you make a profile w/ image and text
You will then be presented with a view of other users, all sorted by what appears to be a mix of distance and 'last seen', some users have a distance indication (i.e: 2km)
You can tap on a profile to see more info, like a biography, preferences, photo's the user shares.
You are also able to perform an action that resembles a 'like' and 'favorite' (for your own shortlist of cuties~!) and 'Message'. The latter two are part of the attack vector.
You are also able to perform an action that resembles a 'like' and 'favorite' (for your own shortlist of cuties~!) and 'Message'. The latter two are part of the attack vector.
The premise of the app appears to be this:
You find someone of interest in the list of nearby users, message them, and hook up.
Cool. But.. what if you just want to find out things about them? Where they live, or work, or study?
Well.. buckle up because here we go.
You find someone of interest in the list of nearby users, message them, and hook up.
Cool. But.. what if you just want to find out things about them? Where they live, or work, or study?
Well.. buckle up because here we go.
There are apps that allow you to spoof your GPS location. Because of this, we can triangulate users. One of the apps made life even easier by recently releasing a "Web" version which allows for full functionality from the comfort of a computer's browser instead of a phone.
Step 0: Using your GPS spoof app, pick a spot, any spot.
Step 1: Select a target, and favorite their profile.
Step 2: Use that spoofed location in combination with the distance that your target is, and draw a circle on a map. This can be a HUGE radius of thousands of KM's.
Step 1: Select a target, and favorite their profile.
Step 2: Use that spoofed location in combination with the distance that your target is, and draw a circle on a map. This can be a HUGE radius of thousands of KM's.
Step 3: You drew a circle on a map. Spoof your location to a few points on the perimeter of that circle's line until you find the closest distance result. In this case, I managed to narrow my target down to Oslo, Norway (from 7600 KM away). Less than 20KM from the city center.
Step 4: Spoof that location to your 'nearest match' location, and see how far your target is away now. Traverse with your location around that circle until you get a close proximity again. I narrowed it down to 1KM at this point.
Step 5: Same process again. Play hot / cold until you got this until you have a point where three of your circles join together. You don't even have to do it many times, three points in cardinal directions from each other will yield good results.
Step 6: Cool, YOU GOT THEIR LOCATION.
But... what if they were there hours ago? Wouldn't that defeat the purpose?
Well, turns out that if you send them a message, they get a push notification. which...
But... what if they were there hours ago? Wouldn't that defeat the purpose?
Well, turns out that if you send them a message, they get a push notification. which...
Appears to force a 'seen' and location update (needs further testing) either by the user manually checking, or by the app just doing its thing.
I will follow with a simulated set of photo's to demonstrate what this looks like.
I will follow with a simulated set of photo's to demonstrate what this looks like.
I am in Salt Lake City.
My target is shown as being ~7600 kilometers away from me.
Anywhere in the darkened area is where they are -not-
They are somewhere very close to that red line. I'm going to guess 'Europe', so that narrows it down to
- UK
- Norway
- Sweden
- Finland
My target is shown as being ~7600 kilometers away from me.
Anywhere in the darkened area is where they are -not-
They are somewhere very close to that red line. I'm going to guess 'Europe', so that narrows it down to
- UK
- Norway
- Sweden
- Finland
So now I spoof my location to a next point and check the app once more. We're now <600 kilometers away according to the app, so we draw another circle.
Every step from here is a process of refinement and narrowing it down. Pick a location, note the distance, draw a circle. Keep repeating this and pay attention to where overlaps happen. Walk the perimeter of that circle and use your brain to create a very narrow scope to search.
Well, they aren't in the water.. and we see some interesting overlap happening with those circles, almost like we have.. three (tri) angles (angulation) happening.
Keep narrowing it down until you've found their location.
But *is it accurate?*
Keep narrowing it down until you've found their location.
But *is it accurate?*
Well, the application exposes certain data, such as a unix epoch timestamp, which can be translated back into human readable format.
And in the case that the timestamp is too old? Send the user a message, from my tests, it almost instantly caused a location update.
This is not to scare anyway from apps like @Grindr or @HowlrApp, it just underlines the inherent issue with an application like this. Privacy is something we tend to take for granted, and most people don't think "Well they only see a distance" to be a vector of attack.
Resources:
Map Developers "Draw Circle Tool" (draw circles with specific radii on map)
https://www.mapdevelopers.com/draw-circle-tool.php
Lexa Fake GPS (Android, GPS spoofing)
https://play.google.com/store/apps/details?id=com.lexa.fakegps
Google Chrome Developer Console (Used because the software I tested on happened to have web access)
Map Developers "Draw Circle Tool" (draw circles with specific radii on map)
https://www.mapdevelopers.com/draw-circle-tool.php
Lexa Fake GPS (Android, GPS spoofing)
https://play.google.com/store/apps/details?id=com.lexa.fakegps
Google Chrome Developer Console (Used because the software I tested on happened to have web access)
