Untappd, a popular beer and brewery-rating app that’s built on top of Foursquare’s location-tracking API, poses a risk to the security of military and intelligence personnel, according to legendary OSINT website Bellingcat.
Untappd “has over eight million mostly European and North American users, and its features allow researchers to uncover sensitive information about said users at military and intelligence locations around the world,” wrote Bellingcat’s Foeke Postma in a fascinating guide about using the app for tracking down people of interest.
Untappd’s concept of operations is simple. You go to the pub and drink beer. During the beer-drinking process you take a picture of your beer with your smartphone and rate it. You can also rate the pub and leave comments. To do these things you need to register an account and provide some personal details – or log in with Facebook.
“Untappd users log hundreds, often thousands of time-stamped location data points. These locations are neatly sorted in over 900 categories, which can be as diverse and specific as ‘botanic garden,’ ‘strip club,’ ‘gay bar,’ ‘west-Ukrainian restaurant,’ and ‘airport gate.’ As the result of this, the app allows anyone to trace the movements of other users between sensitive locations,” wrote Bellingcat’s Postma.
All you need to do to deploy Untappd as an intelligence-gathering tool is use the app through its normal user interface. With a little knowledge of how the app works plus access to online map websites that list pub, bar and restaurant details, it’s frighteningly simple to find people who probably shouldn’t be easily findable.
Putting the Findings to the Test
An online tech publisher based in the U.K., The Register, put Bellingcat’s findings to the test. The author was able to identify someone who enjoyed a few pints of beer over the years at hostels that were close to, among other places: GCHQ Cheltenham; the Atomic Weapons Establishment base at Aldermaston, England; an Army base at South Cerney in Gloucestershire, and then his regular pub crawls around his hometown.
That person used his own mugshot for a profile picture on the app. And although Untappd only displays users’ first names and initials, this particular one used his surname as part of his username, so the app displayed “Joe B. (bloggs123)” on his profile. From there, it was a trivial step from there to find him on LinkedIn using a job title of “analyst” and cross-match that against postal address records for his name in his hometown.
Another scenario had the published looking at pubs and bars near the Royal Navy nuclear submarine base at Faslane, up in the lochs of western Scotland by Glasgow. By getting into the mindset of a thirsty sailor looking for the nearest drinking establishment, the publisher quickly identified a cluster of bars within easy staggering distance of the Helensburgh railway station — the first stop up the line from Faslane.
From there it was easy to look through recent Untappd check-ins at those bars and identify a U.S. Navy nuclear submarine officer, complete with mugshot. His favorite establishments included on-base bars at a U.S. naval station in Norfolk, Virginia. And he also liked bars next to naval bases in Spain and “Naval Base San Diego.”
Just casually browsing the submariner’s friends list on the app, the publisher found the profile of a woman who drank in the same bars at the same time as the man himself. Her profile picture on Untappd included children.
While the app itself is harmless, this ought to be a clear lesson for anyone in a sensitive job: do not use social media. But if you’re going to use social media anyway just to have a normal life outside work, avoid using it in a way where your precise location can be pinpointed next to sensitive workplaces. And also, careless tagging, could, in some circumstances, cost lives.