Researchers Find Security Flaw With Bumble App

Dating app Bumble was informed earlier this year that its software had vulnerabilities that could expose the personal information of its 100 million users around the world.

Researchers from Independent Security Evaluators (ISE) found a problem with the app’s API that allowed them to access personal data for all of its users across platforms, including details such as their political leanings, astrological signs, education, height, weight, and even how far away they were in addition to the city they lived in, according to Threatpost. Another problematic issue for Bumble was that the research team was able to bypass the payment process for premium services, effectively accessing them for free. 

Researcher Sanjana Sarda found that she could access the endpoint “server_get_user” for Bumble users and was also able to retrieve individual user’s Facebook data.

According to Tech Radar, Bumble’s API did not perform the necessary checks on whether a user was authorized to perform a certain action, and had no limits on requests, so it was possible for a hacker to access private data from Bumble’s servers on any of its users. When a Bumble profile was connected to Facebook, the hacker could access that data, too, including photos.

“This is a breach of user privacy as specific users can be targeted, user data can be commodified or used as training sets for facial machine-learning models, and attackers can use triangulation to detect a specific user’s general whereabouts,” Sarda told Threatpost. “Revealing a user’s sexual orientation and other profile information can also have real-life consequences.”

Sarda shared her findings privately with Bumble, but after waiting 225 days for a response, decided to go public with this information so its users weren’t put at risk. Bumble platform host HackerOne said in response that it works with “ethical hackers” to look for bugs and security risks on its platform and is working to resolve the issues pointed out by ISE. 

The dating app updated its encryption so that user IDs were no longer sequential and therefore less vulnerable, addressing one of the main areas of concern. However, Sarda found that she was still able to access Facebook information.

HackerOne did not address specific problems, but went on to say in response to Sarda’s findings: “Vulnerability disclosure is a vital part of any organization’s security posture. While the issue reported on HackerOne was resolved by Bumble’s security team, the information disclosed to the public includes information far exceeding what was responsibly disclosed to them initially. Bumble’s security team works around the clock to ensure all security-related issues are resolved swiftly, and confirmed that no user data was compromised.”