UPDATE: A Bumble spokesperson told TechRadar Pro that, "Bumble has had a long history of collaboration with HackerOne and it’s bug bounty program as part of our overall cyber security practice, and this is another example of that partnership. After being alerted to the issue we then began the multi-phase remediation process that included putting controls in place to protect all user data while the fix was being implemented. The underlying user security related issue has been resolved and there was no user data compromised." We have amended the story below to reflect this.
Dating app Bumble has reassured users after patching a security flaw in its systems.
Researchers from California-based Independent Security Evaluators (ISE) found that sensitive information pertaining to every Bumble user could be easily acquired by an attacker, even if they had previously been banned from the app.
Because Bumble’s API did not perform the necessary checks on whether a request issuer was authorized to perform a specific action nor set limits on the number of requests that could be sent, it could have been possible to access data from Bumble’s servers that should have remained private. If a Bumble profile was connected to Facebook, hackers could have gained access to even more information, including the type of date they were looking for and the images they had uploaded to the app.
- We've put together a list of the best malware removal solutions
- These are the best ransomware removal tools on the market
- Also check out our roundup of the best VPN services
Of greater concern was the ability to potentially discover a user’s rough location as long as they were based in the same city as the hacker. By evaluating a user’s “distance in miles” across several fake accounts, hackers could potentially triangulate a user’s position with alarming accuracy.
The security flaws found by ISE would have been straightforward to exploit, involving a simple script. They are also easy to identify and fix, which makes it all the more worrying that they were allowed to put so many users at risk.
“As of November 1, 2020, all the attacks mentioned in this blog still worked,” Sanjana Sarda, a security analyst at ISE, said. “When retesting for the following issues on November 11, 2020, certain issues had been partially mitigated. Bumble is no longer using sequential user ids and has updated its previous encryption scheme. This means that an attacker cannot dump Bumble’s entire user base anymore using the attack as described here.”
Although the security issues are now being fixed, Bumble was first alerted of them all the way back in March.
- We've also highlighted the best antivirus software