A security researcher has discovered a vulnerability in the popular dating app Bumble that could have allowed an attacker to pinpoint the precise location of other users of the service.
Robert Heaton, who works as a software engineer at the payments company Stripe, discovered the vulnerability in the dating app and then proceeded to develop and execute a ‘trilateration’ attack to test his findings which he’s detailed in a new blog post.
If the vulnerability discovered by Heaton were to be exploited by an attacker, they could use Bubmle’s app and service to discover a victims home address as well as track their movements in the real world to some degree. However, as Bumble doesn’t update the location of its users all that often in its app, it wouldn’t provide an attacker with a live feed of a victim’s location, just a general idea.
Bumble users don’t need to be worried though as Heaton reported his findings to the company via HackerOne after which it patched the vulnerability just three days later. For his efforts, Heaton received a bug bounty payment to the tune of $2,000.
Tracking a Bumble user’s location
During his research regarding location tracking in Bumble, Heaton created an automated script that sent a sequence of requests to the company’s servers. These requests repeatedly relocated the ‘attacker’ before requesting the distance to the victim.
According to Heaton, if an attacker can find the point at which the reported distance of another Bumble user flips from 3 miles to 4 miles, they can then infer that this is the point at which their victim is exactly 3.5 miles away from them. After finding these so-called “flipping points” the attacker would then have three exact distances to their victim which would make precise triangulation possible.
Additionally, Heaton managed to to spoof ‘swipe yes’ requests in the Bumble app on anyone who also declared an interest to a profile without paying a $1.99 fee by circumventing signature checks for API requests.
Bumble has since fixed the vulnerability discovered by Heaton but single people that frequently use online dating apps should also consider installing a VPN on their smartphones to avoid unwanted tracking online and in this case, in the real world.
Via The Daily Swig