95 million daters could have had their online privacy compromised due to security flaws in Bumble’s API. Although the security flaws were easy to fix, they were left unpatched for more than six months after a security analyst discovered and reported them. “No user data was compromised”, a spokesperson for Bumble said.
Bumble is a location-based dating app, which matches together its daters. In heterosexual matches, only women can make the first move to contact matched males. With same-sex matches either person can contact the other first.
Bumble was founded in 2014 by Whitney Wolfe Herd, who had previously co-founded rival dating app Tinder. By September 2019, Bumble was the second largest dating app in the US after Tinder, with a monthly user base of 5 million. According to Forbes, the app now has 95 million users worldwide. Last year, Blackstone bought a majority stake in Bumble for $3 billion.
Users can sign up to the app by either using their phone number or their Facebook profile.
The App’s Security Issues
Bumble’s security issues were discovered by Sanjana Sarda, a security analyst at Independent Security Evaluators (ISE). Her findings were published earlier in the week in a report called “Reverse Engineering Bumble’s API”. Sarda found that sensitive private data pertaining to 95 million Bumble users could have been easily stolen by hackers. This could have been done even if a hacker had previously been banned from the app.
The flaw could also have allowed hackers to steal every single users’ identity. Hackers could have accessed information on the kind of person a user was looking for, as well as all the pictures users had uploaded to the app. Other accessible data included users’ descriptions, education, height, smoking and drinking preferences, voting status, political preference, religious beliefs and zodiac sign. Furthermore, if a Bumble account was connected to Facebook, a hacker could also view all the pages the user had liked.
Most troubling of all the app’s security issues was the fact that hackers could have roughly identified users’ locations. If the hacker lived in the same city as a Bumble user, they could get the users’ approximate location. This could be done by using the app’s “distance in miles” feature. According to Sarda, hackers could have spoofed locations of a handful of accounts and with these triangulated a specific user’s coordinates.
The Security Flaws Explained
Bumble’s issues all stemmed from the fact that the app’s API did not verify requests on the server side. The API did not perform the necessary checks to ascertain whether a person issuing a request to the API had the required authorization to do so. Furthermore, the API did not have limits on the number of requests that could be sent at any one time. For example, Sarda found that she could enumerate all user ID numbers by simply adding one to the previous ID. Moreover, there was no limit to the number of user records she could request using these user IDs. This provided her with the access to potentially extract the entire Bumble user-base.
According to Sarda, the security flaws she identified could have been easily exploited. All that was required was a simple script. Consequently, hackers could have easily stolen user data and used it to potentially track users or resell it. However, the flaws were also easy to fix, which begs the question as to why it took Bumble six months to fix them. Sarda made Bumble aware of the problems back in March. However, a patch for the security flaws she had identified was only made available earlier this month.
A spokesperson for Bumble said: “After being alerted to the issue we then began the multi-phase remediation process that included putting controls in place to protect all user data while the fix was being implemented. The underlying user security related issue has been resolved and there was no user data compromised.”