What is Grindr?
"Grindr is a geosocial networking application geared towards gay, bisexual, and bi-curious men. The app makes use of the device's geolocation, which allows users to locate other men within close proximity. This is accomplished through a user interface that displays a grid of representative pictures of men, arranged from nearest to farthest away. (...) The largest and most popular gay mobile app community in the world currently available in 192 countries."
(en.wikipedia.org)
First information to Grindr
Grindr has been informed independently by different people about issues in their system, allowing anyone find out the exact position of their users.
Grindr has been informed several times again, sometimes they responded, most of they time they did not.
They have been aware of this issues since minimum March and took no action.
Last information to Grindr
After Grindr has been repeatedly informed during the past six months, they received the last information before the whole story went public in early August. Locating users is still possible, no reaction.
early Aug/14
Going public
I released a technical documentation and video demonstration of the location flaw and sent it to several newssites, started a Twitter account.
Sent out warnings
From the very beginning it has been clear that people in countries with anti-gay law might be in danger. So I sent a warning to 100.000 Users in those countries.
(Grindr fails in protecting the privacy and so do they in spamprotection.)
"Alleged Grindr Security Flaw Exposes Exact Location Data, Endangers Users"
NDTV published the first article.
20/Aug/14
"We don’t view this as a security flaw"
First official statement from Grindr arrived: It's no a bug, it's a feature!
So I created "GrindrMap" and made this "feature" available to anybody.
It allowed anyone to locate Grindr-Users and show them on a map.
Of course, I blurred all pictures and blacklisted more than 70 countries with anti-gay law. Users from these countries have never been displayed on the public map.
"Grindr security glitch exposes gay users in Uganda, Russian Kremlin"
When americablog.com reported, we got in contact and I created a custom, uncensored map for them to point out the problem:
gay users in Uganda, Russian Kremlin
500.000 localizations..
..of 150.000 unique Grindr users have been performed within the first 48h when the map went public. Each of them received a notification about what's going on and how to prevent being located again (turn "show distance" off).
"Grindr smartphone app outs exact location of gays across Iran"
Grindr smartphone app outs exact location of gays across Iran (americablog.com)
1.000.000 times..
..350.000 unique Grindr users have been localized by now.
@grindr You are taking a serious security flaw, where users can be attacked,imprisoned or killed & calling it a feature. Totally unethical.
— Trout Monfalco (@troutmonfalco) 29. August 2014Grindr sent out a message to all users:
"More" links to a blogpost on their site.
(Too bad it's english only.)
"Security Flaw In Gay Dating App Grindr Reveals Precise Location Of 90% Of Users"
29/Aug/14
More than two million times..
..600.000 unique Grindr users have been localized in total.
That's more than 10% of all active Grindr users.
"Egyptian Cops Using Grindr To Hunt Gays"
CairoScene.com reported Egyptian government spies are using dating apps, including Grindr, to catch gays.
Within four hours I was able to get that newsarticle translated to egyptian arabic by some awesome Twitter-users and sent it to all egyptian Grindr users online that day.
Time to act, so I contacted Apple and Google to step in, they promised to care, but did not take any visible action.
"you should consider your location to be a form of PII (personally identifiable information)"
nakedsecurity.sophos.com: Grindr app has privacy issues - who's surprised?
01/Sept/14
"Grindr gay smartphone app turns off distance option in face of privacy concerns"
americablog.com: "It would seem that Grindr may have finally started to get the message. Time will tell."
(Spoiler: I didn't take much time.)
"Only hours after gay smartphone app Grindr attempted to fix a glitch...
02/Sept/14
Grindr broadcast #2
06/Sept/14
"If there was ever a better example of a "privatized, depoliticized gay culture," then I don't know what it is."
02/Sept/14
What's next?
This whole story is about responsibility. If you run a business and work with sensitive data like geocoordinates of gay people around the world, including guys in countries like Iran where they get hanged for being gay, you have to care about their privacy. If someone reports to you several times about this issues, you have immediately to shut down these locationservices and find a solution without risking anybody's life.
What Grindr did was absolutely irresponsible and I have no idea why their CEO Joel Simkhai took no action.
If Grindr was a european company, I would have probably taken legal steps to get their servers shut down within days.
This is no usual business where you just loose some ad revenue when something goes wrong.
Grindr exposed many people of a high risk and has been aware of it for months.
btw: It is still possible to find out the location of most of the grindr users.
I'm sure there are more gay dating apps which face similar problems. I invested "some" hours of work making this issue public on Grindr.
Please, be proactive and contact these App-developers on your own and share the results.
Feel free to contact me via Twitter (@GrindrMap).
gay dating apps compared
I created an overview of the top 20 gay dating apps on android. This issue is public for a month and none of the other developers took action by now. It is possible to map all of their users too.
17/Sept/14
other developers fail too
Some weeks have elapsed and nearly every gay dating app still allows locating their users. Similar to GrindrMap I'm going to publish maps for other apps too. Users in countries with anti-gay-law still face high risks, the app developers need to act.
5/Oct/14