Dating app Bumble’s web application and API revealed security loopholes in research targeting popular dating applications – leaving personal information of users vulnerable to extraction by attackers. However, the company claimed that none of the user data had actually been compromised as a result.
The app’s API – instructing the Bumble server on how to access data from endpoints – caused this due to insecure user authentication and no rate-limiting checks. Since private data could be obtained directly from the Bumble server, attackers could use multiple fake (even unverified!) accounts to extract names, pictures, and rough locations of users.
If users had connected their Facebook accounts, their dating preferences and Facebook likes could also be obtained. Additionally, users could bypass Bumble’s premium features using the web application.
“Bumble is no longer using sequential user ids and has updated its previous encryption scheme. This means that an attacker cannot dump Bumble’s entire user base anymore using the attack as described here”, stated Sanjana Sarda, one of the analysts involved in this research. She added that tracking user location by triangulating can’t be done anymore, as the API request does not provide distance in miles after patching efforts.
You might like to read:
- Study Identifies Google Play Store as the Largest Distributor of Malware on Android Devices
- Massive Data Breach at Online Grocer Bigbasket, 2 crore Customer Details For Sale On Dark Web
Informed by security firm Independent Security Evaluators (ISE) in March 2020, Bumble hadn’t fixed any of the issues till November 01, 2020. By November 11, 2020, the mitigation had started, giving a reason to believe that Bumble will be patching each flaw soon.
“After being alerted to the issue we then began the multi-phase remediation process that included putting controls in place to protect all user data while the fix was being implemented.”, stated a Bumble spokesperson.