Bumble denies cyberattack after fixing security issue

hacker targeting a PC
(Image credit: Shutterstock)

UPDATE: A Bumble spokesperson told TechRadar Pro that, "Bumble has had a long history of collaboration with HackerOne and it’s bug bounty program as part of our overall cyber security practice, and this is another example of that partnership. After being alerted to the issue we then began the multi-phase remediation process that included putting controls in place to protect all user data while the fix was being implemented. The underlying user security related issue has been resolved and there was no user data compromised." We have amended the story below to reflect this.

Dating app Bumble has reassured users after patching a security flaw in its systems.

Researchers from California-based Independent Security Evaluators (ISE) found that sensitive information pertaining to every Bumble user could be easily acquired by an attacker, even if they had previously been banned from the app.

Because Bumble’s API did not perform the necessary checks on whether a request issuer was authorized to perform a specific action nor set limits on the number of requests that could be sent, it could have been possible to access data from Bumble’s servers that should have remained private. If a Bumble profile was connected to Facebook, hackers could have gained access to even more information, including the type of date they were looking for and the images they had uploaded to the app.

Of greater concern was the ability to potentially discover a user’s rough location as long as they were based in the same city as the hacker. By evaluating a user’s “distance in miles” across several fake accounts, hackers could potentially triangulate a user’s position with alarming accuracy.

Bumble security

The security flaws found by ISE would have been straightforward to exploit, involving a simple script. They are also easy to identify and fix, which makes it all the more worrying that they were allowed to put so many users at risk.

“As of November 1, 2020, all the attacks mentioned in this blog still worked,” Sanjana Sarda, a security analyst at ISE, said. “When retesting for the following issues on November 11, 2020, certain issues had been partially mitigated. Bumble is no longer using sequential user ids and has updated its previous encryption scheme. This means that an attacker cannot dump Bumble’s entire user base anymore using the attack as described here.”

Although the security issues are now being fixed, Bumble was first alerted of them all the way back in March.

Via Forbes

Barclay Ballard

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things.