A security researcher has just spotted a critical Bumble security flaw, which could be exploited by stalkers in order to find the locations of individuals.
If this security flaw is abused, the potential damage can be devastating.
Bumble Security Flaw Spotted
According to the story by TechRadar, a security researcher has just recently discovered a certain vulnerability in the very popular dating app called Bumble.
This security vulnerability could allow an attacker to be able to pinpoint the precise location of other users that are on Bumble as well.
Robert Heaton, who reportedly works as a software engineer at the popular payments company Stripe, was able to discover the vulnerability in the dating app and then actually proceeded to develop, as well as execute a particular “trilateration” attack in order to test his findings.
Robert Heaton detailed his findings in this blog post.
Trilateration Used to Find Victim’s Location
If the particular vulnerability that was discovered by Heaton were to actually be exploited by an attacker, they could make use of Bumble’s app and service in order to find out where a victims’ home address is and track their movements in the real world to a particular degree.
Bumble, however, does not really update the location of its users all that often in its popular app.
It reportedly wouldn’t provide an attacker with a live feed of a victim’s specific location, but just a general idea.
Bumble users do not really need to be worried as Heaton reported the critical findings to the company through HackerOne, and the vulnerability was then patched up after three days. But to be safe, users should update the app immediately.
Meanwhile, the dating app did a recent survey that found that 30% of 1,000 Americans won’t go on dates with unvaccinated people.
Heaton Gets $2,000 Reward
For the efforts, Heaton was able to receive a bug bounty payment of $2,000.
During his research regarding location tracking within the Bumble app, Heaton reportedly created an automated script that would send a sequence of requests to the company’s servers.
These requests repeatedly relocate the particular “attacker” before actually requesting the distance to the victim.
Heaton noted that if an attacker can find the point at which the whole distance of yet another Bumble user would flip from three to four miles, they can then infer that this is the particular point at which their victims is exactly 3.5 miles from them.
Bumble Fixes Vulnerability
After finding the “flipping points,” the attacker can then have three exact distances to their victims, which would reportedly make precise triangulation a possibility.
In addition, Heaton has also managed to spoof the “swipe yes” request in Bumble on anyone that also declared an interest to a profile without having to pay the $1.99 fee through circumventing signature checks for new API requests.
Bumble has reportedly fixed the particular vulnerability that was discovered by Heaton, but single people that usually use online dating apps should, according to TechRadar, consider using a VPN. This is in order to avoid unwanted tracking online or in the real world.
In related news, about 700 Bumble employees got a burnout leave on July.
This article is owned by Tech Times
Written by Urian B.
ⓒ 2021 TECHTIMES.com All rights reserved. Do not reproduce without permission.