Experts have uncovered a potential serious security vulnerability in popular dating app Bumble that could have allowed an attacker to pinpoint the precise location of other users of the service.
Robert Heaton, a software engineer at payments company Stripe, discovered the vulnerability in the dating app and then proceeded to develop and execute a 'trilateration' attack to test his findings.
In a blog post, Heaton outlined how if the vulnerability were to be exploited by an attacker, they could use Bubmle's app and service to discover a victims home address as well as track their movements in the real world to some degree.
- We've assembled a list of the best password managers
- These are the best security keys on the market
- Also check out our roundup of the best privacy apps
However, as Bumble doesn't update the location of its users all that often in its app, it wouldn't provide an attacker with a live feed of a victim's location, just a general idea.
Luckily, Bumble users have no reason to panic, as Heaton reported his findings to the company via HackerOne. The dating service patched the vulnerability just three days later, and paid Heaton bug bounty payment to the tune of $2,000.
Tracking a Bumble user's location
During his research regarding location tracking in Bumble, Heaton created an automated script that sent a sequence of requests to the company's servers. These requests repeatedly relocated the 'attacker' before requesting the distance to the victim.
According to Heaton, if an attacker can find the point at which the reported distance of another Bumble user flips from 3 miles to 4 miles, they can then infer that this is the point at which their victim is exactly 3.5 miles away from them. After finding these so-called “flipping points” the attacker would then have three exact distances to their victim which would make precise triangulation possible.
Additionally, Heaton managed to to spoof 'swipe yes' requests in the Bumble app on anyone who also declared an interest to a profile without paying a $1.99 fee by circumventing signature checks for API requests.
Bumble has since fixed the vulnerability discovered by Heaton but single people that frequently use online dating apps should also consider installing a VPN on their smartphones to avoid unwanted tracking online and in this case, in the real world.
- We've also featured the best identity theft protection
Via The Daily Swig
