Skip to main content

Bumble security flaw could have let anyone track you down

app security
(Image credit: Shutterstock.com)
Audio player loading…

Experts have uncovered a potential serious security vulnerability in popular dating app Bumble (opens in new tab) that could have allowed an attacker to pinpoint the precise location of other users of the service.

Robert Heaton, a software engineer at payments company Stripe (opens in new tab), discovered the vulnerability in the dating app (opens in new tab) and then proceeded to develop and execute a 'trilateration' attack to test his findings.

In a blog post (opens in new tab), Heaton outlined how if the vulnerability were to be exploited by an attacker, they could use Bubmle's app and service to discover a victims home address as well as track their movements in the real world to some degree. 

However, as Bumble doesn't update the location of its users all that often in its app, it wouldn't provide an attacker with a live feed of a victim's location, just a general idea.

Luckily, Bumble users have no reason to panic, as Heaton reported his findings to the company via HackerOne (opens in new tab). The dating service patched the vulnerability just three days later, and paid Heaton bug bounty (opens in new tab) payment to the tune of $2,000.

Tracking a Bumble user's location

During his research regarding location tracking in Bumble, Heaton created an automated script that sent a sequence of requests to the company's servers. These requests repeatedly relocated the 'attacker' before requesting the distance to the victim.

According to Heaton, if an attacker can find the point at which the reported distance of another Bumble user flips from 3 miles to 4 miles, they can then infer that this is the point at which their victim is exactly 3.5 miles away from them. After finding these so-called “flipping points” the attacker would then have three exact distances to their victim which would make precise triangulation possible.

Additionally, Heaton managed to to spoof 'swipe yes' requests in the Bumble app on anyone who also declared an interest to a profile without paying a $1.99 fee by circumventing signature checks for API requests.

Bumble has since fixed the vulnerability discovered by Heaton but single people that frequently use online dating apps should also consider installing a VPN (opens in new tab) on their smartphones to avoid unwanted tracking online and in this case, in the real world. 

Via The Daily Swig (opens in new tab)

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.