Here are the facts:
- Yes, Tinder was releasing geolocation and Facebook data through their private API
- Yes, it let you do some remarkably creepy things (like this)
However, unless you know how to set up a mitm proxy, it’s simply not possible to grab that data. I’m going to assume that doesn’t qualify as a “simple hack” as the majority of the media put it.
There’s a little in Sean Rad’s response that I don’t agree with. However, his reasoning for not bringing it to the user’s attention is valid – “It was a minor flaw that didn’t impact any of our users, so we decided it wasn’t worth bringing to their attention.”
Not only was the API private, but I’ve never seen a company fix an issue that fast. I think I emailed them at 4am. When I woke up, it was fixed, and for that, they seriously deserve to be commended. They say they take their users’ privacy seriously, and it looks like they mean it.
As to why that data was in the response in the first place, I’m hesitant to believe that it happened during the Android rollout. I’d say it’s more likely that they calculated shared friends, likes, and distance client side instead of server side for the early versions of the app. When they switched to server side, they never removed the raw data.
Updated: They called me last night to say thank you. They wanted me to speak with the CTO, but he was busy working all night to look for and fix any further privacy issues. Yes, Tinder messed up, but their response has been phenomenal and I’m thoroughly impressed.
Comment on HN here