Grindr’s API Surrendered Location Data To A Third-Party Website, Even After Users Opted Out

Grindr’s API Surrendered Location Data To A Third-Party Website, Even After Users Opted Out

A website that allowed Grindr’s gay dating app users to see who blocked them on the service says that by using the company’s API it was able to view unread messages, email addresses, deleted photos and – perhaps most troubling – location data, according to a report published today.

Photo: Getty

The website, C*ckblocked, boasts of being the “first and only way to see who blocked you on Grindr”. The website’s owner, Trever Faden, told NBC that, by using Grindr’s API, he was able to access a wealth of personal information, including the location data of users – even for those who had opted to hide their locations.

“One could, without too much difficulty or even a huge amount of technological skill, easily pinpoint a user’s exact location,” Faden told NBC. But before he could access this information, Grindr users first had to supply C*ckblocked with their usernames and passwords, meaning that they voluntarily surrendered access to their accounts.

Grindr said that, once notified by Faden, it moved quickly to resolve the issue. The API that allowed C*ckblocked to function was patched on March 23, according to the website.

Faden’s discovery underscores the risk users take by signing into third-party websites using social media credentials, which is notably a common practice among Facebook users. Facebook, of course, is embroiled in an international scandal at the moment over a leak of data belonging to at least 50 million Facebook users. That incident stems from an online quiz linked to Facebook accounts that users voluntarily filled out online.

Tod Beardsley, director of research at the Boston-based software firm Rapid7, noted that data apps generally ask users to surrender large quantities of personal data.

“Regardless of any third-party’s promises or guarantees, providing a username and password to a third party means just that: You have handed over your credentials to a third party, who will be able to access your account, up to and including data that may not be exposed in the normal interface,” said Beardsley.

While the capabilities described by Faden may be shocking, he added, “it all depends on first collecting a legitimate user’s data directly through incitement or trickery.”

Not everyone agrees that it’s incumbent on users alone to protect themselves from such practices.

Cooper Quintin, a security researcher with the Electronic Frontier Foundation, told NBC that Grindr was “putting people’s lives at risk,” noting there are “a million reasons why you might not want someone to find your location through Grindr”.

In Egypt, for example, where homosexuality is criminalised through laws that deem “immoral” behaviour illegal, Grindr users have been arrested by undercover police and imprisoned.