When the purpose of your app is to connect total strangers, maybe privacy is beside the point. Still, mobile dating app Tinder has a particular knack for revealing sensitive information.
Earlier this year, we reported that Tinder had exposed the physical location of its users for at least two weeks, perhaps months. The company initially downplayed the issue, and still hasn’t told its users what happened. But the controversy, such as it was, barely registered in the technology industry.
Tinder actually continues to reveal personal information about people who use the app in ways that seem unnecessary and invasive. For instance, the app’s data files include Facebook ID numbers that make it possible, in many instances, to identify and contact users who would otherwise remain quasi-anonymous.
Shaked Klein Orbach, a web developer in the Netherlands, has just documented a few other privacy holes in Tinder. Most alarmingly, it appears possible to fool Tinder into making a match with someone who hasn’t expressed interest—and in doing so, reveal that user’s email address.
Tinder works by showing you photos of people it thinks you might take a liking to. (The app is mostly used for dating and hooking up, but would like to make platonic connections, too.) Users swipe right or left to indicate if they’re keen. Tinder then connects users who have expressed mutual interest.
But it turns out that Tinder’s API, the protocol that makes the app work, leaves open a way to connect with someone who hasn’t expressed interest. That would be like Facebook approving friend requests without the permission of both sides. Orbach’s post explains how he was able to do it. In the process, he also noticed that Tinder reveals the email address of each person to whom the app connects you.
Like a lot of Tinder’s privacy flaws, the ones discovered by Orbach don’t seem necessary to make the app function. Instead, they appear to be the result of sloppy API design. Orbach, in an email, said he has contacted Tinder about the issues. He also provided documentation of his work to Quartz.
Tinder is part of internet conglomerate IAC, which also owns dating sites Match.com and OkCupid. Like many mobile apps with popular buzz, Tinder won’t say how many users it has. Rad said a few days ago that Tinder processes 400 million swipes and 4 million matches a day, and those figures are rising.
Reached by phone today, Tinder CEO Sean Rad said he was heading into a meeting and referred questions to a spokeswoman. The spokeswoman, Rosette Pambakian, didn’t have an immediate response.
Update (5:58pm ET): Rad provided this statement:
We want to thank Mr. Orbach for pointing out a way to create a match with another user through manipulating certain API calls. This issue is now resolved and to our knowledge no one was affected outside of Mr. Orbach’s test. We are committed to taking all necessary steps to ensure the privacy of our users and we appreciate the help and support of great engineers like Mr. Orbach.