Millions of users of the dating app Bumble may have had their online privacy compromised due to security flaws that were left unpatched for more than six months.
Researchers from California-based Independent Security Evaluators (ISE) found that sensitive information pertaining to every Bumble user could be easily acquired by an attacker, even if they had previously been banned from the app.
Because Bumble’s API did not perform the necessary checks on whether a request issuer was authorized to perform a specific action nor set limits on the number of requests that could be sent, it was possible to access data from Bumble’s servers that should have remained private. If a Bumble profile was connected to Facebook, hackers could gain access to even more information, including the type of date they were looking for and the images they had uploaded to the app.
Of greater concern was the ability to discover a user’s rough location as long as they were based in the same city as the hacker. By evaluating a user’s “distance in miles” across several fake accounts, hackers could potentially triangulate a user’s position with alarming accuracy.
Bumble’s security blunder
The security flaws found by ISE are straightforward to exploit, involving a simple script. They are also easy to identify and fix, which makes it all the more worrying that they were allowed to put so many users at risk.
“As of November 1, 2020, all the attacks mentioned in this blog still worked,” Sanjana Sarda, a security analyst at ISE, said. “When retesting for the following issues on November 11, 2020, certain issues had been partially mitigated. Bumble is no longer using sequential user ids and has updated its previous encryption scheme. This means that an attacker cannot dump Bumble’s entire user base anymore using the attack as described here.”
Although the security issues are now being fixed, Bumble was first alerted of them all the way back in March. Unfortunately, this delay has given attackers a huge window of opportunity.