An investigative report from the website Bellingcat has found that the beer-rating social app Untappd can be used to identify military personnel and track the locations they’ve visited.

The app works by having users ‘check-in’ whenever they are drinking a beer, whether it be at home or out at a bar or restaurant. Users are encouraged to take photos of the beer they are having, which are then tagged using geolocation and added to their personal profile.

A user’s personal profile contains a history of everywhere they’ve ever checked in using Untappd. In the course of its research, Bellingcat discovered that even though government facilities aren’t discoverable through the app’s search function, they are once you go through the process of ‘checking in’ your beer.

Untappd uses Foursquare’s API to draw its available locations for a check in, so it has a comprehensive list of places depending on where you are. By ‘spoofing’ GPS coordinates to fool the app into thinking they were near a military base, the investigator was able to tag a checked-in beer from that location.

Once they tagged their beer from the military base, they were able to see every other user that had also tagged the same location. From that point on, it’s a matter of selecting one of the user profiles and searching through their history to see where else they have been.

Via Untappd’s web app, someone can also go to a location’s profile page and see a list of their ‘loyal patrons’, a ranking of the top 15 users for that particular spot. This feature allowed the investigators to identify people that frequented bars or restaurants in military bases and embassies as likely employees or personnel rather than tourists who accidentally geotagged the wrong place.

In one case, Bellingcat was able to identify a number of Dutch military personnel based on their check-ins from a Dutch base. Looking at those users’ respective histories and the pattern of check-ins they shared in common revealed a number of other probable military sites around the world.

Other examples of tracing people through the app were a U.S. drone pilot revealing a number of domestic and overseas military bases he had visited, and a naval officer who checked in with the app at a beach next to the Guantanamo Bay detention center, followed by several more entries from the Pentagon.

In addition to using location data, Bellingcat pointed out that the photos users upload for their check-ins can often reveal other sensitive information as well. Aside from several examples of photos of beers exposing sensitive government documents or personal ID’s, users also often tag others in their posts, providing a firmer base from which to draw connections between people and the locations they have visited.

Sources: Bellingcat, Axios