Contributed by: kellyseal on Friday, September 17 2021 @ 09:24 am
Last modified on Friday, September 17 2021 @ 09:28 am
Dating app Bumble’s platform was found to have a security vulnerability capable of leaking the exact locations of its users, putting them at risk of potential attackers.
The researcher who discovered the security flaw created two fake profiles, one for the “attacker” and one for the “victim,” to check vulnerabilities in the app’s API. He was able to bypass signature checks for API requests, which meant he got around Bumble’s paywall to execute the attack.
His test revealed the exact location and the distance of the fake victim from the fake attacker through a process of trilateration, according to security trade magazine The Daily Swig[*1] . In other words, he figured out how the app calculated and matched approximate user locations by rounding down the exact distance they are from each other.
Bumble has over 100 million users worldwide who could have been exposed to the hack, making them vulnerable to potential stalkers. The vulnerability was found in June according to reports and was fixed within 72 hours.
A software engineer at Stripe named Robert Heaton was the one who discovered the flaw, and he asked for a $2,000 reward as a donation to the Against Malaria Foundation. He told The Daily Swig that “it wouldn't give an attacker a literal live feed of a victim’s location, since Bumble doesn't update location all that often,” but it would give stalkers access to important information like a home address to target potential victims.
"Revealing the exact location of Bumble users presents a grave danger to their safety, so I have filed this report with a severity of 'High,'" Heaton wrote in his report to the company.
A similar location-leaking vulnerability was found in Tinder back in 2013 by another researcher. Tinder fixed this problem by rounding up distances instead of locating with “15 decimal places of precision,” which it appears Bumble was doing and had already addressed as well. Still, the female-friendly app was exposed to potential security breaches as Heaton discovered, even with the prior fix.
This hasn’t been the dating app’s only potential API security breach. In November 2020, researchers at Independent Security Evaluators found that they could bypass paying for Bumble’s premium features, as well as access personal information from users including pictures.
Bumble has since addressed these issues but waited to act on the information from researchers who discovered the vulnerability, until they said they wanted to publish their findings. The company said in a statement back in November: “Bumble’s security team works around the clock to ensure all security-related issues are resolved swiftly, and confirmed that no user data was compromised.”
For more on this dating service you can read our Bumble review.