Bumble denies cyberattack after fixing security issue

hacker targeting a PC
(Image credit: Shutterstock)

UPDATE: A Bumble spokesperson told TechRadar Pro that, "Bumble has had a long history of collaboration with HackerOne and it’s bug bounty program as part of our overall cyber security practice, and this is another example of that partnership. After being alerted to the issue we then began the multi-phase remediation process that included putting controls in place to protect all user data while the fix was being implemented. The underlying user security related issue has been resolved and there was no user data compromised." We have amended the story below to reflect this.

Dating app Bumble has reassured users after patching a security flaw in its systems.

Researchers from California-based Independent Security Evaluators (ISE) found that sensitive information pertaining to every Bumble user could be easily acquired by an attacker, even if they had previously been banned from the app.

Because Bumble’s API did not perform the necessary checks on whether a request issuer was authorized to perform a specific action nor set limits on the number of requests that could be sent, it could have been possible to access data from Bumble’s servers that should have remained private. If a Bumble profile was connected to Facebook, hackers could have gained access to even more information, including the type of date they were looking for and the images they had uploaded to the app.

Of greater concern was the ability to potentially discover a user’s rough location as long as they were based in the same city as the hacker. By evaluating a user’s “distance in miles” across several fake accounts, hackers could potentially triangulate a user’s position with alarming accuracy.

Bumble security

The security flaws found by ISE would have been straightforward to exploit, involving a simple script. They are also easy to identify and fix, which makes it all the more worrying that they were allowed to put so many users at risk.

“As of November 1, 2020, all the attacks mentioned in this blog still worked,” Sanjana Sarda, a security analyst at ISE, said. “When retesting for the following issues on November 11, 2020, certain issues had been partially mitigated. Bumble is no longer using sequential user ids and has updated its previous encryption scheme. This means that an attacker cannot dump Bumble’s entire user base anymore using the attack as described here.”

Although the security issues are now being fixed, Bumble was first alerted of them all the way back in March.

Via Forbes

Barclay Ballard

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things. 

Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 16 (game #1147)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 16 (game #378)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 16 (game #644)
Three iPhone 16 handsets on show
Apple could launch an iPhone 17 Ultra this year – but we've heard these rumors before
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough