Dating app location APIs can be trilaterated to pinpoint a user's home address
safetysafety0 views
Dating apps that show distance to other users (Bumble, Tinder, Grindr, etc.) are vulnerable to trilateration attacks: an attacker spoofs their GPS to three different locations, records the reported distance to the target each time, and calculates the exact intersection point, revealing the target's home address to within a few meters. Check Point Research demonstrated this in 2024 on Bumble, and the vulnerability class has been known since at least 2014 on Grindr. Despite years of disclosure, many apps still return precise distance values rather than coarsened ranges. This matters because stalkers and abusers can locate someone's home without ever meeting them, using only the public distance feature and free GPS-spoofing tools. The structural reason is that precise distance is a core product feature ('she's 0.3 miles away') that drives engagement and matches; coarsening distance to safe ranges (e.g., 'within 5 miles') makes the product feel less magical and reduces match rates, so product teams resist the change.
Evidence
Check Point Research demonstrated trilateration on Bumble in 2024: https://research.checkpoint.com/2024/the-illusion-of-privacy-geolocation-risks-in-modern-dating-apps/ | ESET documented the broad 'great location leak' across dating apps: https://www.welivesecurity.com/en/privacy/great-location-leak-privacy-risks-dating-apps/ | Security Boulevard analysis of GPS spoofing + trilateration attack on dating apps: https://securityboulevard.com/2025/05/from-swipe-to-scare-data-privacy-and-cyber-security-concerns-in-dating-apps/ | EFF documented consent failures in dating app location sharing (July 2025): https://www.eff.org/deeplinks/2025/07/dating-apps-need-learn-how-consent-works