Bumble prides itself on being one of the more ethically-minded dating apps. But is it doing enough to protect the private data of its 95 million users? In some ways, not so much, according to research shown to Forbes ahead of its public release.
Researchers at the San Diego-based Independent Security Evaluators discovered that even if they’d been banned from the service, they could acquire a wealth of information on daters using Bumble. Prior to the flaws being fixed earlier this month, having been open for at least 200 days since the researchers alerted Bumble, they could acquire the identities of every Bumble user. If an account was connected to Facebook, it was possible to retrieve all of their “interests” or pages they have liked. A hacker could also acquire information on the exact kind of person a Bumble user is looking for and all the pictures they uploaded to the app.
Perhaps most worryingly, if based in the same city as the hacker, it was possible to get a user’s rough location by looking at their “distance in miles.” An attacker could then spoof locations of a handful of accounts and then use maths to try to triangulate a target’s coordinates.
“This is trivial when targeting a specific user,” said Sanjana Sarda, a security analyst at ISE, who discovered the issues. For thrifty hackers, it was also “trivial” to access premium features like unlimited votes and advanced filtering for free, Sarda added.
This was all possible because of the way Bumble’s API or application programming interface worked. Think of an API as the software that defines how an app or set of apps can access data from a computer. In this case the computer is the Bumble server that manages user data.
Sarda said Bumble’s API didn’t do the necessary checks and didn’t have limits that allowed her to repeatedly probe the server for information on other users. For instance, she could enumerate all user ID numbers by simply adding one to the previous ID. Even when she was locked out, Sarda was able to continue drawing what should’ve been private data from Bumble servers. All this was done with what she says was a “simple script.”
“These issues are relatively simple to exploit, and sufficient testing would remove them from production. Likewise, fixing these issues should be relatively easy as potential fixes involve server-side request verification and rate-limiting,” Sarda said
As it was so easy to steal data on all users and potentially perform surveillance or resell the information, it highlights the perhaps misplaced trust people have in big brands and apps available through the Apple App Store or Google’s Play market, Sarda added. Ultimately, that’s a “huge issue for everyone who cares even remotely about personal information and privacy.”
Flaws fixed… half a year later
Though it took some six months, Bumble fixed the problems earlier this month, with a spokesperson adding: “Bumble has had a long history of collaboration with HackerOne and its bug bounty program as part of our overall cyber security practice, and this is another example of that partnership. After being alerted to the issue we then began the multi-phase remediation process that included putting controls in place to protect all user data while the fix was being implemented. The underlying user security related issue has been resolved and there was no user data compromised.”
Sarda disclosed the problems back in March. Despite repeated attempts to get a response over the HackerOne vulnerability disclosure website since then, Bumble had not provided one. By November 1, Sarda said the vulnerabilities were still resident on the app. Then, earlier this month, Bumble began fixing the problems.
Sarda disclosed the problems back in March. Despite repeated attempts to get a response over the HackerOne vulnerability disclosure website since then, Bumble had not provided one, according to Sarda. By November 1, Sarda said the vulnerabilities were still resident on the app. Then, earlier this month, Bumble began fixing the problems.
As a stark comparison, Bumble rival Hinge worked closely with ISE researcher Brendan Ortiz when he provided information on vulnerabilities to the Match-owned dating app over the summer. According to the timeline provided by Ortiz, the company even offered to provide access to the security teams tasked with plugging holes in the software. The problems were addressed in under a month.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .