Posted on November 16, 2020 at 7:34 PM
Bumble stands as one of the more ethically focused dating apps out there, and, depending on who you ask, that doesn’t mean much, or it means the world. Regardless of what you might think, the dating app boasts a user count of 95 million strong, but recent research shows that they may be lacking in keeping these users secure.
Finding A Troubling Vulnerability
Independent Security Evaluators, a research firm in San Diego, had its researchers recently discover something troubling. Even if these users had been banned from the service, a veritable wealth of information on Bumble’s daters was still available to them.
While this vulnerability has already been remedied earlier this month by Bumble itself, it took the company 200 days since they were notified by researchers to fix it. Through this vulnerability, it’s possible for a single account to get the identities of every user in Bumble, which is troubling, to say the least.
Should a user have their Bumble account be connected with their Facebook counterpart, all their “interests” and liked pages could be retrieved by way of Bumble’s platform.
An aspiring hacker could even go as far as to acquire information regarding what the bumble user in question is looking for in their prospective partner. Furthermore, these malicious actors could see all the pictures they uploaded to Bumble itself.
Going As Far As To Locate Someone
One of the most worrying aspects about this already-patched exploit, however, is it was possible to gain a rough estimate of a Bumble user’s location should they be in the same city.
All the user needs to do is look at their “distance in miles” perimeter. Should a hacker be dedicated enough, they could spoof a handful of accounts, using said accounts to triangulate the coordinates of a target through some clever math.
One of the security analysts at ISE, Sanjana Sarda, highlighted that these features would make it trivial for a hacker to target a specific user.
Sarda had discovered the vulnerabilities, to begin with, and highlighted how hackers could just as easily gain access to premium futures, allowing for advanced filtering and unlimited votes absolutely free.
Bumble’s Seeming Lack Of Testing
All of this was done thanks to the way Bumble had developed its application programming interface, or API, which defines how an app gains access to computer data. In Bumble’s case, it accesses the servers of the app managing its user data.
Sarda highlighted how Bumble’s API allowed her to probe the server for other users’ information repeatedly thanks to the API not doing the needed checks and limits it should.
A prime example would be that she could enumerate every ID number of each user through simply adding one to a previous one. Sarda eventually got locked out, but the analyst was still quite capable of drawing out private data from Bumble’s servers, doing this all with, in her words, a simple script.
Eventually Fixing The Problem
Sarda highlighted the relative simplicity in exploiting these vulnerabilities, highlighting how sufficient testing could have easily prevented them from being there in the first place.
She highlighted that the issues should be easily fixed, as well, due to how the potential fixes primarily involved rate-limiting and request verification server-side.
With the ease it was to steal data on every user on Bumble, holding the potential of selling this information or doing your own surveillance, Sarda went to prove a point.
People typically trust big brands too much when it comes to their private information, especially those available through the Google Play market or the App Store.
Sarda stated that this is a problem for anyone who even remotely cares about their privacy and the personal information they show the world.
Bumble had eventually fixed the issue, though they took more than six months to do it. In its public statement, a spokesperson claimed that Bumble and HackerOne had close ties, with the app’s cybersecurity practice including a bug bounty program.
Once Bumble was alerted, it claimed that the multi-phase remediation process was enacted, set to put in controls to protect all of its user data while the fix was being put into place. The spokesperson stated that no user data has been compromised, and that the issue has been resolved.