Bumble security flaw could have let anyone track you down

News
By published

Security hole in dating app Bumble exposed user location data

app security
(Image credit: Shutterstock.com)

Experts have uncovered a potential serious security vulnerability in popular dating app Bumble that could have allowed an attacker to pinpoint the precise location of other users of the service.

Robert Heaton, a software engineer at payments company Stripe, discovered the vulnerability in the dating app and then proceeded to develop and execute a 'trilateration' attack to test his findings.

In a blog post, Heaton outlined how if the vulnerability were to be exploited by an attacker, they could use Bubmle's app and service to discover a victims home address as well as track their movements in the real world to some degree. 

However, as Bumble doesn't update the location of its users all that often in its app, it wouldn't provide an attacker with a live feed of a victim's location, just a general idea.

Luckily, Bumble users have no reason to panic, as Heaton reported his findings to the company via HackerOne. The dating service patched the vulnerability just three days later, and paid Heaton bug bounty payment to the tune of $2,000.

Tracking a Bumble user's location

During his research regarding location tracking in Bumble, Heaton created an automated script that sent a sequence of requests to the company's servers. These requests repeatedly relocated the 'attacker' before requesting the distance to the victim.

According to Heaton, if an attacker can find the point at which the reported distance of another Bumble user flips from 3 miles to 4 miles, they can then infer that this is the point at which their victim is exactly 3.5 miles away from them. After finding these so-called “flipping points” the attacker would then have three exact distances to their victim which would make precise triangulation possible.

Additionally, Heaton managed to to spoof 'swipe yes' requests in the Bumble app on anyone who also declared an interest to a profile without paying a $1.99 fee by circumventing signature checks for API requests.

Bumble has since fixed the vulnerability discovered by Heaton but single people that frequently use online dating apps should also consider installing a VPN on their smartphones to avoid unwanted tracking online and in this case, in the real world. 

Via The Daily Swig

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
Location Data
Cloudflare CDN flaw could expose user location simply by sending an image
Closeup image of an eye with a heart on a screen reflected within
Bad romance: how to take control of your dating data and avoid a clinch from a cyberstalker
Find My app logo displayed on an iPhone 11 screen
This Find My exploit lets hackers track any Bluetooth device – here’s how you can stay safe
Data breach
Privacy of millions worldwide compromised as huge data location broker got hacked
Kaspersky Report on Stalkerware
Security flaw in popular stalkerware apps is exposing phone data of millions
Outdoor photograph of a pair of hands holding a smartphone with navigator location points in the background
Millions of phone location records feared leaked as one of the biggest data leaks ever may be a whole lot worse
Latest in Security
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Latest in News
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Apple iPhone 16 Review
New iPhone 17 report lends weight to rumors of major display and camera upgrades, and a pricey Apple foldable
Teams
Microsoft Teams is finally adding a tiny but crucial feature I honestly can't believe it never had
Apple Watch Ultra 2 move data
Apple is reportedly planning a huge future Apple Watch upgrade to turn it into an AI device with onboard cameras
Apple watch pair with iphone
The Apple Watch SE 3 is apparently in 'serious jeopardy', and the news isn't much better for the Ultra 3 or Series 11
Ray-Ban Meta Smart Glasses
Samsung's rumored smart specs may be launching before the end of 2025
More about security
IBM office logo

IBM to provide platform for flagship cyber skills programme for girls
Hacker silhouette working on a laptop with North Korean flag on the background

North Korea unveils new military unit targeting AI attacks

Apple iPhone 16 Review

New iPhone 17 report lends weight to rumors of major display and camera upgrades, and a pricey Apple foldable
See more latest
Most Popular
Apple iPhone 16 Review
New iPhone 17 report lends weight to rumors of major display and camera upgrades, and a pricey Apple foldable
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Sky Glass Gen 2
It's a Glass act: the next generation of Sky Glass TV is now at Currys
Teams
Microsoft Teams is finally adding a tiny but crucial feature I honestly can't believe it never had
Apple Watch Ultra 2 move data
Apple is reportedly planning a huge future Apple Watch upgrade to turn it into an AI device with onboard cameras
Apple watch pair with iphone
The Apple Watch SE 3 is apparently in 'serious jeopardy', and the news isn't much better for the Ultra 3 or Series 11
ClinkCaim laptop
Laptop prototype with detachable AI webcam (but without a normal touchpad) wins award at the 'Oscars' of the design industry
Compal Infinite Laptop
This laptop has a horizontal rollable display that extends to 18 inches, and I can't wait to try it
Silicon Motion MonTian 128TB SSD
More 128TB SSDs on the way, but they won't be cheaper: Key maker of NAND flash controllers says 128TB SSDs are shipping
Toshiba HDD Innovation Lab
How to make hard drives faster? Simple, just bunch dozens of them together, Toshiba says