A security flaw on dating app Bumble has reportedly left the location and other profile data of many users for over the last six months. This was reported by cybersecurity firm Independent Security Evaluators (ISE), that claims that due to the vulnerability on the platform, “an attacker can dump Bumble’s entire user-base with basic user information and pictures even if the attacker is an unverified user with a locked account.” Researchers also found that a vulnerability on the platform allowed attackers to bypass payment on Bumble’s premium features.
Bumble was informed about the flaw in March; however, as of 1 November, none of the issues were patched. Upon retesting on 11 November, only a few issues were found to be mitigated.
“Bumble is no longer using sequential user ids and has updated its previous encryption scheme. This means that an attacker cannot dump Bumble’s entire user base anymore using the attack as described here. The API request does not provide distance in miles anymore — so tracking location via triangulation is no longer a possibility using this endpoint’s data response,” the researchers confirm.
tech2 has also reached out to Bumble to know more about the vulnerability. We are yet to receive a response from the company.
However, the cybersecurity firm found, an attacker can still use the endpoint to obtain information such as Facebook likes, pictures, and other profile information such as dating interests. A locked-out user can still access all this information.
Notably, the researchers clarify that after a few issues were mitigated, attackers can now only do this for encrypted IDs they already have.
Considering the other security flaws were recently fixed, Bumble is expected to fix the other security issues soon, as well.