Robert Heaton, a software engineer for payments and transactions company Stripe discovered a major flaw in the dating app Bumble that could have allowed threat actors to gain access to user location data.
This could have been used to look up addresses and even track user location. Heaton discussed the vulnerability in a blog post and the methods he used to test out a trilateration attack.
He ran a script that spoofed an API request to the app and returned a user's general location. Since Bumble doesn't track user location in real-time, the script assumes the app calculates the distance between two users and then rounds it up.
The script then keeps requesting the user location from the app till the threat actor finds a "flipping point." If the location of the target oscillated between 3 or 4 miles, one could infer that the location was 3.5 miles.
This process is repeated till the attacker finds three of these points after which precise triangulation of the target's location becomes possible.
Heaton also managed to find a way to circumvent the premium access checks which require user's to pay a fee by spoofing signature checks.
The flaw was reported to Bumble and Heaton took home a bug bounty of $2,000. The vulnerability was also patched three days after Heaton reported the flaw.Heaton used HackerOne to report the flaw to Bumble on 15th June and the fix was deployed on June 18. A full disclosure of the triangulation flaw was agreed upon and released on July 21.