Millions of Bumblers’ personal information exposed in dating app security flaw
Popular dating app Bumble says it has fixed a security vulnerability on its platform that could have allowed hackers to steal the personal data of millions of users.
No user data was compromised as a result of the flaw, the company claimed.
Researchers from cyber security firm Independent Security Evaluators (ISE) uncovered the flaw: a bug in the app’s API, which tells the programme the correct way to access data from a device.
In a blog post, ISE security analyst Sanjana Sarda revealed that she reverse-engineered Bumble’s API and discovered that many endpoints were processing requests without being checked by the server.
She also found that the API had not put any limits on the number of requests to stop an unauthorised individual from searching the server for information about users.
Sarda claimed that the vulnerability could allow an attacker to “dump Bumble’s entire user-base, with basic user information and pictures, even if the attacker is an unverified user with a locked account.”
For profiles connected to Facebook, attackers could exploit the vulnerability to gain access to more information, including images uploaded and the type of partner that a user was looking for.
The bug could also have enabled attackers to bypass payment on Bumble’s premium features.
Sarda said that Bumble was notified about the vulnerability in March this year, but the company took more than six months to fix the issue.
“As of November 1, 2020, all the attacks mentioned in this blog still worked,” Sarda said.
“When retesting for the following issues on November 11, 2020, certain issues had been partially mitigated.”
According to Sarda, the app now uses a new encryption scheme and has stopped using sequential user IDs.
“This means that an attacker cannot dump Bumble’s entire user base anymore using the attack”.
However, Sarda said that an attacker “can still use the endpoint to obtain information such as Facebook likes, pictures, and other profile information such as dating interests.”
“This still works for an unvalidated, locked-out user, so an attacker can make unlimited fake accounts to dump user data. However, attackers can only do this for encrypted IDs that they already have (which are made available for people near you). It is likely that Bumble will fix this too within the next few days.”
A spokesperson for Bumble said that after being alerted to the issue, the company began “the multi-phase remediation process that included putting controls in place to protect all user data while the fix was being implemented.”
The issue has now been resolved, and no user data was compromised, the spokesperson added.