• Mon. Oct 16th, 2023

WhosHere, an Online Dating App, Captures Precise User Location Data

Avatar photo


Jul 12, 2023
WhosHere captures user location

Pentest Partners researchers uncovered a vulnerability in the app’s commercial edition, which uses an unusual approach to identify user location. WhosHere Plus employs trilateration, a method of determining the exact position of an object by measuring distances to three known sites. 

The program first utilizes GPS to establish the device’s geolocation, which is subsequently sent to WhosHere servers. The same thing happens with the devices of close users. The server receives very precise geolocation data by monitoring the distances between these devices. This degree of precision allows users to find prospective matches even in congested areas.

Security and Privacy Risks

WhosHere, like other online dating applications, is subject to tracking and gaining access to user data. Journalists contacted Pentest Partners, who verified that the app’s API queries may be used by tech-savvy persons to gain access to precise user locations and other personal information. 

This poses a risk to law enforcement, fraudsters, stalkers, and others looking to profit from this information, particularly in countries where non-traditional sexual orientations are criminalized, such as Egypt.

Following a formal request from PentestPartners researchers to WhosHere, the firm updated certain safeguards in the software, although their usefulness is very doubtful.

Despite developer efforts to improve security, specialists were able to circumvent the obligatory certificate verification and intercept user data in WhosHere. 

Subsequent versions of the program no longer gathered precise location data but continued to allow for the determination of estimated geoposition using trilateration. The study’s findings show that WhosHere jeopardizes its users’ security and privacy. To prevent possible hazards, processing location data in dating applications takes careful study. Users may suffer psychological and physical effects if these dangers are ignored.

Data interception vulnerabilities have already plagued online dating applications such as Bumble and Tinder, allowing attackers to establish user whereabouts. Apple AirTag, which uses Bluetooth technology, has also raised privacy and user confidentiality issues owing to its geolocation capabilities. 

Google recently confirmed the use of comparable technology in Android smartphones, although the question of its safety has yet to be resolved. App and device makers must emphasize openness in storing and managing the risks connected with sensitive consumer data.