There have already been many articles regarding applications and services that request location access but end up leaking more location information than necessary to their client apps running on users’ devices. Two popular ones are Tinder and Facebook Messenger. The case in point for this article is the popular online dating service OkCupid. OkCupid has millions of users worldwide. Users make their online profiles by adding a few pictures of themselves, answering some questions, and writing a little about themselves. OkCupid uses this information to quantify how well users match with each other in the form of match and enemy percentages.
To make the experience even better, OkCupid uses location data provided by users to find potential matches close-by. Then users can browse through a variety of these matches (sorted and filtered by the users’ preferences) and drop messages if they are interested in any of the matches. The figures below show the “Nearby” and “Search” tabs under the “Matches” menu on OkCupid’s latest iPhone app at the time of writing this article. Both views show thumbnails of the main picture in that match’s profile, along with other useful information like username, region, age, and match percentage (usernames and thumbnails are blurred).
At first thought, it might seem like OkCupid would use the user’s location data to find a group of users nearby, sort them by match or distance, and send that data back to the user in a view like above. All computation related to location data would be expected to happen on the server side. But could they be leaking more information than needed while transferring this data to the client application? I decided to dig a little deeper into the app and see what kind of data OkCupid is really passing between the client and their servers to render views. To my surprise, apart from pictures, usernames, ages, match percentages, etc., OkCupid also sends the exact coordinates of potential matches… unencrypted! I was even more perplexed to find that only responses for the “Quickmatch” feature included them!
Let’s take a second to look at this feature. This feature works by showing profile cards one at a time to the user. The user can tap on the card to view more pictures of the match, a snapshot of the match’s profile (not sure how this is selected) and then swipe the card left or right to “dislike” or “like” the profile. The top card includes a picture of the match, the match percentage, age of the match, and a text saying what region the match is most likely in. These information views in “Quickmatch” are shown below.
Nowhere does this feature indicate how far this match is from the user, or their exact address. Then why pass the exact coordinates of where that match is? If views like “Nearby”, which seem more dependent on distance between the user and their matches, don’t pass location data, “Quickmatch” has absolutely no need for it. Being able to link a set of pictures and demographic data with exact coordinates is very, very powerful information! I doubt I need to list the possible consequences of someone getting a hold of this data and misusing it.
To give a better idea of how easy getting this data is, here is what I did: I went to the Quickmatch feature and swiped about 50 cards (whether you swipe left or right doesn’t matter). By using a proxy, I had all the data that OkCupid requested from their servers immediately on my computer. And what could be better than this data already formatted in JSON! The image below is a sample “location” object from the response clearly showing the longitude and latitude of this potential match. You can find the full response here (with sensitive information removed). It’s also surprising that this response corresponds to the entire profile of this match, even though, as we saw a few moments ago, “Quickmatch” doesn’t show the full profile of the top card. It only shows a snapshot.
I wrote a super-short Python script to scrape out coordinates from these responses and pasted them onto an online mapping tool that lets you map multiple coordinates at once. And within a couple of seconds, all my potential matches were on a map!
It also looks like one can infer more than just the location through this data. From the screenshot of the map below, match no. 29 was close to Atlanta, GA when I captured the location data. Since I got this data just around the start of July 4th weekend, it seems match no. 29 most likely spent their 4th of July weekend in Atlanta, GA. Similarly, match no. 6 most likely went to the Washington area.
Scary right? The overall picture that I’d like to shed light upon through this post is how careful one really needs to be online. It’s crazy how we trust third party applications like OkCupid with our private data without considering how and where this information is used. OkCupid asks users to create a dating profile viewable by other OkCupid users. So in a way, users are much less safe on OkCupid than they are on a social network like Facebook — they can only control so much data that is shown about them to others. And if they decide to control too much, they lose out on the benefits of being on a dating website in the first place. Dating services like OkCupid have the greater ambition of connecting and matching people for eternity. But they cannot do that at the cost of users’ privacy. The possibilities that open up with access to a full profile (pictures, writing style, demographics etc.) along with exact location data are unimaginable! It’s food for stalking.
App creators are readily requesting all kinds of personal and sensitive information from users (name, birthdate, location, link with Facebook etc.) to create a better experience. However, sometimes they compromise this information in exchange for simplicity of developing their application. If passing location coordinates is a leak on OkCupid’s behalf, it’s a simple fix: get rid of it from the response. But if it was intended, there are definitely options to change the app and remove the need for passing coordinates. How hard would it be for OkCupid to convert the coordinates into a region and send that text in the response instead of having their app on a mobile device do the conversion? Not hard at all; just move the code that uses coordinates from their mobile apps to their servers. In fact, they already do so in the other parts of the app! On the other hand, if location data is necessary for client-side computations, encrypting it should be top priority.
Upon finding out this exchange of sensitive information, I contacted OkCupid. I described the issue in detail, explaining how big this leak is. It’s been more than 48 hours and I still haven’t received a response from them. Tinder and Facebook seemed to have fixed their bugs extremely quickly. I sincerely hope this article creates a sense of urgency for OkCupid to fix this bug and make their online dating service safer for their users around the globe.
Update: OkCupid got back to me about this leak. They agreed it was a leak on their part, and “have changed that API to now just show the high level information about the location”. More specifically, the coordinates OkCupid sent as part of the responses were related to the ZIP code rather than the exact position of the match. Still, sending this data was a leak since it wasn’t being used by “Quickmatch” in any way. They have also clarified that my inference about weekend plans of the two matches (one in Atlanta and the other in Washington) was a little off. They weren’t traveling from New York to those destinations, but in fact from those destinations to New York. This makes it clear that “Quickmatch” finds matches close to the user, regardless of what location matches set statically in OkCupid. Great job on fixing this quickly and clarifying the functionality for me OkCupid!