It took Bumble 255 days to respond and fix some of the vulnerabilities reported by the researcher.
Dating sites and apps have been found vulnerable several times over the past few years spelling more disaster than a fortune for a lot of people. In the latest, the dating site and app Bumble has been found to have an API vulnerability by a security researcher named Sanjana Sarda.
Found on March 30; the report is out now in line with responsible security disclosure practices.
The vulnerability in question exposed the sensitive data of almost all of the network’s users numbering about 100 million people. This data includes their Facebook information, match interest preferences, location, height, weight, political positions, educational qualifications, and astrological signs – all of which could be used by attackers to conduct social engineering attacks on the users.
Furthermore, metrics such as the location which were revealed by showing how far away a particular user was could also potentially put the users in physical danger.
But this wasn’t all. In addition to this, the vulnerability also allowed the researcher to avail the app’s paid services for free hinting that the company can also lose revenue in this way. An example of one of these is the right swipes limit present which could be easily bypassed by switching from the app to the website version.
Seeing the sensitivity of the issue, Sarda reported it to the dating company who apparently according to her, responded after 225 days via HackerOne and then started fixing the issues.
Currently among these, the Facebook data of users could still be accessed which shows us that the company has been very non-serious in fixing the issues. Explaining further Sarda wrote in her report that:
Bumble is no longer using sequential user ids and has updated its previous encryption scheme. This means that an attacker cannot dump Bumble’s entire user base anymore using the attack as described here.
The API request does not provide distance in miles anymore — so tracking location via triangulation is no longer a possibility using this endpoint’s data response. An attacker can still use the endpoint to obtain information such as Facebook likes, pictures, and other profile information such as dating interests.
To conclude, users should abandon or perhaps demand greater urgency from companies in responding to such issues as this is a very serious privacy issue. Since the vulnerability was found in March 2020, it means till the date when parts of it were patched, many attackers could or may have misused it without users knowing just because the company was too negligent.
If you are a user of the app, it may be wise to email the company and request greater details to know if you have been affected.