Keypoints
- Exposed or inferable distance data in dating apps enables trilateration to recover user coordinates even when exact geolocation is hidden.
- Hornet transmitted precise coordinates server-side and randomized reported distances, but this did not prevent accurate location recovery in practice.
- A binary-search-style method using a controllable auxiliary account can determine distance to a target with high precision by iteratively adjusting the auxiliary account’s position and checking list order.
- Trilateration with many reference point pairs and averaging drastically improves accuracy—experiments produced mean errors under 5 meters and, in some setups, <1 meter.
- Hornet mitigations implemented after disclosure increased median error to about 50 meters, reducing but not eliminating the risk of approximate location recovery.
- Techniques to improve robustness include forcing target presence via an “online” API call, filtering poorly informative reference pairs, and automating many account positions to speed measurement.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Abused Hornet’s application/API logic and server responses to extract precise coordinates and distance data (“the second one, named Hornet, sends precise coordinates to the server.”).
- [T1098] Account Manipulation – Created and positioned additional accounts under attacker control to probe distances and perform binary-search-style measurements (“we need to register an additional account, the coordinates of which we can control.”).
- [T1078] Valid Accounts – Used legitimately registered app accounts to query the user list repeatedly and infer ordering-based distance information (“we request the list of users from the dating app server.”).
- [T1591] Gather Victim Identity Information – Collected sensitive location information about users via trilateration using distances from multiple reference points (“Trilateration lets you determine target coordinates by knowing the coordinates of several points and the distance from them to the target.”).
- [T1040] Network Sniffing – Analyzed app traffic to observe coordinate encodings (e.g., a 12-digit geohash) and server behaviors that leak location-related data (“transmits coordinates encoded as a 12-digit geohash, where the map is divided into rectangles of 37×18 centimeters.”).
Indicators of Compromise
- [Domain] Hornet support and app domain – hornet.com (support page discussing position protection), used as the target application for analysis.
- [Domain/URL] Research publication and assets – research.checkpoint.com (original research post and image assets), source of methods, figures, and responsible disclosure details.
Researchers focused on the technical method to infer user locations from dating-app distance information. The primary distance-estimation technique is a binary-search-style probing using auxiliary (attacker-controlled) accounts: place a secondary account at a chosen offset from the main account, request the app’s ordered nearby-user list, and determine whether the target falls before or after the secondary; repeat, halving the search interval until the distance precision meets requirements. When neighbors display distances, a simpler estimation can use the average of two known neighbor distances. To ensure the target and secondary appear in results, the team invoked the app’s “user is online” API before measurements.
For full trilateration, the attacker positions multiple reference accounts and measures distances to the target from different known coordinates. A two-step trilateration was used: derive two candidate intersection points from distances to two reference accounts, then disambiguate using a third reference. Large-scale sampling across many reference-pair sets and averaging of trilateration results mitigates server-side randomization and ordering noise; filtering out reference pairs with poor axial separation (e.g., those within 800 m of the previous estimate center) reduces large-error outliers. Using 25–50 reference sets produced median errors of ~4–10 m, and with careful filtering and 300 reference-pair trials the mean error fell below 5 m.
Experimentally, Hornet initially allowed meter-level accuracy (some measurements <1 m and many <6 m). After disclosure, Hornet applied mitigations that increased achievable error to roughly 50 meters, limiting but not fully eliminating approximate location inference. Practical attacker optimizations include automating account creation/positioning to parallelize measurements and using repeated queries to overcome server-side randomization.