Open in app

Sign in

Write

Sign in

Mastodon

How I hacked Dil Mil (Indian dating app) to expose a user’s exact location

Kunal Agarwal
6 min readApr 9, 2020

FROM a very young age, I always liked computers. I started off with piracy, Gameboy emulators, Xbox hacking, and moved to the more ‘hard’ stuff — malware, botnets, financial stuff — I even contributed code to PopcornTime, our favorite Netflix piracy app! But, that life was behind me… until I recently came upon this wonderful app Dil Mil aka Tinder for South Asians.

Dil Mil fast-tracks you to marriage (shaadi).

I know five people who have gotten engaged on it in the last year!

I am a bit of a hopeless romantic and old-fashioned, so I am more tuned to that “love at first sight”... plus, there are no aliens on dating apps. But, I decided to see wsup, and take a proper look myself.

What could be the worst that could happen?!

> The vulnerabilities discussed below have been fixed in collaboration with Dil Mil engineer Jeremiah. Their CEO, KJ Dhaliwal, is a very kind man and has helped make a ton of happily ever afters — I am honored to help him and users safely find love.

Exhibit A. Cold Kunala looking for alien (not human)

IF YOU HAVE never used online dating before, it is sort of like an arranged marriage. Your parents build a ‘bio-data’ or resume with pictures. See below:

# |      Arranged Marriage       |          Dil Mil           |
# |------------------------------|----------------------------|
# | 1. Mom makes biodata         | Setup profile on app       |
# | 2. Sent to aunties           | Use app to search profiles |
# | 3. Put into Yes or No pile   | Swipe right                |
# | 4. Meet human                | Meet human                 |

And, let me tell you — this app is hot. Even the aunties are talking about it! The primary basis for its popularity in the US is that most dating apps do not allow ethnicity filtering. Instead, Dil Mil has carved out a niche to empower humans in quickly finding mates of South Asian descent.

Alright Kunal, let’s get to the point.

Well, the truth is that many of these apps these days (Houseparty, Zoom too…) are built for features and delivery. Security and privacy are not the top concern, and it is the responsibility of individual developers to practice secure code.

Dil Mil is not different here. It collects a ton of personal information about you and references it into swipable profiles for potential matches. I decided to explore two primary areas:

  1. Is it possible to perpetually be the top profile on Dil Mil
  2. How much can I know about a potential match?

The Potential Match (Stalker Status)

It’s helpful to think of Dil Mil as a front-end that prettifies data. As you interact with the app, the app downloads more data and shows it to the user.

Mobile App Architecture

It’s pretty evident when you open it for the first time. It’ll make a request to the cloud services, then pull down all of the latest information about you as well as related images. This is how most mobile apps and modern websites work.

These APIs (Application Programming Interfaces) are incredibly useful and are the basis for machine to machine communication.

Let’s get some matches!

Sadly, I had no matches in my profile to begin with. (Honestly, I doubt I will find anyone after this blog)

No matches :-(

Lucky for us, Dil Mil has a handy dandy feature called boosts that allow a user to become the top profile on the app for an hour or so.

Naturally, applications do not expose everything the APIs return — only what is needed for functionality. However, getting insight into the actual API communication can be straightforward; I like to use a tool called Charles Proxy.

Proxies are used to direct traffic through a specific pivot point. In this case, the proxy was present on my laptop so that I could tamper and view all communication between the application and the cloud.

Screenshot from my Charles Proxy session. You can see all of the Kunal data including my email.

Through some clever scripting and tampering the data received from the APIs — I got several of these boosts for free 🥳🥳🥳

Success! Within a couple of hours, we can see the matches start rolling in:

Okay, but what about the exact location of the humans?

The first phase of ‘hacking’ or penetration testing starts with reconnaissance. Let’s take a look at the API calls that the Dil Mil app uses to grab matches and potential matches:

$ GET /get_matches_sorted # return all confirmed matches
$ GET /get_potential_matches # return all swipe left/right potential{
 "guid": "77e4dd94-4a8f-4447-84fe-32b46ad8b65f",
 "client": "ios_1908151600",
 "skip": 0,
 "count": 25,
 "user": "U.NCOUPETGOGGEAWTGFU",
 "excludeIds": [""]
}

I started to delve deeper into the API responses returned with all of my potential matches, things got quite scary. It contained a treasure trove of data on each of the individuals ranging from necessary information like name and city, to some more dangerous items… Now remember — these are people I have not matched with yet.

This means that this user didn’t consent to me or even see my profile!

They are only folks eligible to be swiped left/right.

Example 1: Exposed birthdate

Example 2: Algorithms for Matching

LOL, apparently, they cut you off from matching with folks if you are not high enough on the hotness scale. 😂 Specifically for the chut-boi’s (chutiya + fuckboi)

Example 3: Exposed Facebook, Instagram and Location

Exp0sed Facebook ID, Instagram Handle, Latitude and Longitude

This is scary! Imagine your exact location being accessible to an end-user who (a) you have not matched with, and (b) you don’t even know!

The issue boils down to latitude and longitude being lifted directly from the phone up to 13 digits of precision. Out of the ten I checked, many were at residential locations like home, or dorms at school. You could even see what room in the home they were at!

Except this person who was at In-N-Out Burger

Thank god I am not a stalker…

The Fix

Ethical hacking always has a happy ending. I spoke with a smart Dil Mil engineer, Jeremiah, who was able to quickly remedy the issue in early October by truncating the latitude and longitude to two digits. He pushed to production within a couple days of me reporting the issue. Sincere gratitude to him.

I verified the fix from my end as well.

The Lesson

Building an app or start-up isn’t easy, but we absolutely have to respect the users who make the product big. It was great that Dil Mil fixed this as fast as they did, and I hope that developers continue to improve their security and preserve consumer privacy hygiene.

California recently launched the California Consumer Privacy Act (CCPA) which grants strong privacy rights to consumers and how company’s are using our data. This has had a ripple effect that raises consumer rights around the world. You might have seen the opt-out messages everywhere on the web.

I hope you learned something new today! Keep smiling and have a wonderful day 😀

— Kunal

Hacking
Dating Apps
Privacy
Kunal Agarwal

--

--

Kunal Agarwal

Written by Kunal Agarwal

192 Followers

electrical engineering computer science nerd from @ucberkeley, founder @dope.security, producer with @sanjoyd

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams