I know officials at grindr have been informed several times within the past months about these issues, which would seem to imply that the concept of “social responsibility” is lost upon Grindr. While you may live in a country where using Grindr is no big deal, there are countries like Sudan and Yemen where anti-gay laws have been enacted with severe consequences[3], e.g. the death penalty. Knowing that Grindr-Users in countries such as these are being put unnecessarily at a high risk should be reason enough for Grindr to change its system.

Even without the such a risk: Would you want it to be possible for someone to show on a map, exactly where you are to the point where they could tell if you were using Grindr in the bathroom or on the couch?

While the app only shows users the distance between them and other users, specific location data can be extrapolated by querying Grindr’s servers from three different places and triangulating the information received. This process can also be automated using commonly available tools, and the resulting coordinates can be overlaid on a map.

The flaw arises from the fact that anyone can query Grindr’s servers using standard JSON (JavaScript Object Notation) without needing to be authenticated. The server’s response will contain whatever information users have added to their profiles, potentially including a photo, text description, age, ethnicity, body type, time last seen online, and relationship status.

Users can choose not to show their location to other users. If this flag is set, the JSON response will not contain location data. The YouTube link included in the anonymous messages and Twitter account leads to a video demonstrating the process in several parts of the world. With a single click, user profiles are displayed as pins on a map.

The second security risk is that message senders can be spoofed, and users can be impersonated. The Pastebin dump contains specific instructions including details of Grindr’s messaging protocols and server addresses. This is how the unknown whistleblower has been sending out hundreds of thousands of messages.

We don’t view this as a security flaw. As part of the Grindr service, users rely on sharing location information with other users as core functionality of the application and Grindr users can control how this information is displayed. For Grindr users concerned about showing their proximity, we make it very easy for them to remove this option and we encourage them to disable ‘show distance’ in their privacy settings. As always, our user security is our top priority and we do our best to keep our Grindr community secure.