Risky online dating apps putting your privacy in danger

You may not be as anonymous as you think.

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

Risky online dating apps putting your privacy in danger

If you weren’t nervous enough about the prospect of meeting a complete stranger after connecting on an online dating app, there’s something else to worry about.

Just how carefully is your app keeping your personal information and location out of other people’s sight?

Researchers at Kaspersky have taken a look at a number of online dating apps for Android and iOS, and found that some are doing a pretty poor job of securing users’ details.

Sign up to our free newsletter.
Security news, advice, and tips.

Firstly, some apps encourage users to enter their place of work on their profile:

First of all, we checked how easy it was to track users with the data available in the app. If the app included an option to show your place of work, it was fairly easy to match the name of a user and their page on a social network. This in turn could allow criminals to gather much more data about the victim, track their movements, identify their circle of friends and acquaintances. This data can then be used to stalk the victim.

More specifically, in Tinder, Happn and Bumble users can add information about their job and education. Using that information, we managed in 60% of cases to identify users’ pages on various social media, including Facebook and LinkedIn, as well as their full names and surnames.

In addition, some dating apps were found to track users’ location – displaying the distance between a malicious party and a target. If a target was staying in one place, a hacker could feed an app bogus co-ordinates and receive information about their relative distance to track down the location of the person they were interested in.

The researchers reported that users of the Tinder, Mamba, Zoosk, Happn, WeChat, and Paktor apps were particularly susceptible to having their location determined.

Risky online dating apps putting your privacy in danger

Meanwhile, some apps were guilty of elementary security failures – transmitting sensitive information in an unencrypted format, opening opportunities for an attack to intercept the data in transit:

Most of the applications use SSL when communicating with a server, but some things remain unencrypted. For example, Tinder, Paktor and Bumble for Android and the iOS version of Badoo upload photos via HTTP, i.e., in unencrypted format. This allows an attacker, for example, to see which accounts the victim is currently viewing.

So, what should you do about this?

The first rule has to always be to think carefully about what information you share online (including in dating apps). Even if the information you have provided to the app isn’t in itself enough to identify you, remember that chances are that you have left plenty of other information about yourself lying across the internet (maybe on Facebook on LinkedIn for instance) which will help someone to track you down.

Image searchIt may even be possible for an attacker to conduct what are known as “reverse image searches”, where rather than type words into a search engine to look for something, someone could use the image that you have posted on a dating app and see if a similar image appears anywhere else online.

My guess is that many people may be quite happy using the same flattering snap of themselves in a dating app as on a social network or Instagram.

The other issue is that clearly some of these apps are poorly written. Your dating app may contain vulnerabilities that could lead to you unwittingly leaking your personal information, or provide clues that could lead someone to determining your true identity or location.

Depending on the vulnerability there may or may not be ways in which you can protect yourself from this – but I would always recommend using a secure VPN to protect your privacy when connected to the net via public Wi-Fi (even better use 3G or 4G if you’re unsure about the Wi-Fi) and as a general rule only share information you don’t mind ending up appearing in public online.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

2 comments on “Risky online dating apps putting your privacy in danger”

  1. Jonathan

    What is the risk here? So the hacker knows my name, my employer, my alma mater, and my location? Then what?

  2. DaB

    If you read dating services' TOS and Privacy Policies you'll find plenty of grist for concern about their handling of literally everything you submit to them. Common issues include dating site takes a permanent license to use everything submitted (text, pics, etc) in all possible ways by them and all affiliates/transferees/assigns, data transferred about you or your ad copy & pic not subject to the same privacy provisions as the original site, no right of the 'customer' to know/review/approve what's retained/whether & how it's used by all affiliates/transferred/sold, no info about how the customer's info would be protected from exposure including upon transfer to others, no right of compensation for what's done with the info by the host, and no transparency into any of this beyond the TOS & Privacy Policy. The only way, hopefully, to end any of this or take control is to terminate the account.

    Now put this in practical terms: You submit an paid ad with a facial pic to one of the big dating sites, they also get all your billing and other account info for internal uses. It's a big company with affiliates and an active marketing program. Their affiliates include ones in niche interest areas, some of which you would not want to be associated with in any way, but the company forwards your original ad info & pic to their niche site affiliate teams for seeding their count of 'members' for their marketers. So your ad, or parts of it, maybe the topic, your original text edited to suite the niche and your face attached. The company also sends out emails to mass lists of potential customers for the original site you submitted the ad to or for a niche site you have no intention of advertising in. No matter, respondents to your faked ad won't know why their responses go unanswered and only rarely will those niche site responses will be forwarded to you. You also won't know if your coworkers, family or anyone else got one of those marketing emails with your face on it, touting how great that niche site is. Or if law enforcement, insurers, employers, prospective employers, the university you applied to, the DoD, credit reporting agencies, or people you do business with has scraped any of the fraudulent ads or marketing using your mug into their dossiers about you. All without any notice or transparency to you, or your ability to control it. From your innocent ad looking for a partner in life……

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.