Security researchers have discovered a vulnerability in the popular dating app Bumble. This could allow an attacker to determine the exact location of another user of the service.
Robert Heaton, a software engineer at the payments company Stripe, discovered a vulnerability in dating apps and tested his findings by developing and executing a “three-range survey” attack. This will be explained in detail in a new blog post.
If a vulnerability discovered by Heaton is exploited by an attacker, the attacker will use Bumblele’s apps and services to find out the victim’s home address and track their movements in the real world to some extent. can do. However, Bumble doesn’t update the user’s location very often in the app, so it doesn’t give the attacker a live feed of the victim’s location, which is just a general idea.
Bumble users need not worry as Heaton patched the vulnerability just three days after reporting the findings to the company via HackerOne. For his efforts, Heaton received a $2,000 bug bounty.
Bumble user location tracking
While researching location tracking in Bumble, Heaton created an automated script that sends a series of requests to the company’s servers. These requests repeatedly moved the “attacker” before asking the distance from the victim.
According to Heaton, if an attacker can find a point where another Bumble user’s reported distance changes from 3 miles to 4 miles, it can be inferred that this is exactly the point where the victim is 5.5 miles away. .. After finding these so-called “flipping points”, the attacker has three precise distances to the victim, allowing accurate triangulation.
In addition, Heaton decided to spoof “yes” requests in the Bumble app to anyone who expressed interest in a profile without paying a $1.99 fee by bypassing the API request signature check. Passed.
Bumble then patched a vulnerability discovered by Heaton, but singles who frequently use online dating apps can use their smartphones online, in this case, to avoid unnecessary tracking in the real world. Also, consider installing a VPN on your smartphone.
Via Daily Wig
User Location Information Published by Bumble Vulnerability