Bumble Takes Six Months to Fix Security Flaws Exposing User Locations

Written by Dominic Whitlock

Bumble has fixed security flaws that made it possible for hackers to find users’ exact locations, more than six months after it was first alerted by security researchers.

A team at the Independent Security Evaluators discovered that it was able to look at all of a member’s pictures and Facebook interests, even if they were using an account that had been blocked by the app. 

Furthemore, hackers could have used the ‘distance-from’ feature to find exact geolocations.

Bumble’s application programming interface (API) reportedly didn’t conduct the necessary checks or have limits to prevent repeated server probes.

Sanjana Sarda, security analyst at Independent Security Evaluators, explained to Forbes: “These issues are relatively simple to exploit, and sufficient testing would remove them from production. Likewise, fixing these issues should be relatively easy as potential fixes involve server-side request verification and rate-limiting.”

The social and dating app was made aware of the flaws midway through March, but did not complete the necessary fixes until November.

A spokesperson for Bumble told Forbes: “Bumble has had a long history of collaboration with HackerOne and its bug bounty program as part of our overall cyber security practice, and this is another example of that partnership. 

“After being alerted to the issue we then began the multi-phase remediation process that included putting controls in place to protect all user data while the fix was being implemented. The underlying user security related issue has been resolved and there was no user data compromised.”

Read more here.

Leave a Reply

Your email address will not be published. Required fields are marked *