Tinder exposed its users' exact physical location and Facebook profile not for a "few hours," like the company's CEO previously indicated, but a few weeks. According to Quartz, Tinder had decided not to notify its users of the security flaw because it "was there for like an hour," but, no, that wasn't true: A software engineer named Mike Soares notified the app about the hole on July 8. Here's what he found, again according to Quartz:
Mike Soares, an engineer in San Francisco, says he discovered the issue on July 8 and immediately informed the company in an email to firstname.lastname@example.org. The subject line was, “Privacy Hole With Your App,” and it detailed how Tinder’s API was returning more information than necessary, including the location and Facebook data.
Tinder needs to record each user’s last known location in order to suggest other people within a certain distance. But no one is supposed to see a user’s exact location, a privacy violation that could be considered especially egregious because Tinder is used to find people to hook up with. An introductory screen when first signing up for Tinder assures, “Your location will never be shown to other users.”
What does this mean? It means that this loading screen should have popped up with flashing BULLSHIT-BULLSHIT sirens for the past two weeks:
And Tinder has yet to inform its users, still scrolling through for hookups, that there was a stretch of time when it was possible for others to identify your Facebook account. Which is pretty much the most important part of the app.
I'll continue to use Tinder, obviously—but here we are, yet again, burned by a tech company and its lax policies toward security. Is anyone surprised?