Moneycontrol PRO
you are here: HomeNewsTechnology

Serious security flaw on dating app Bumble could have exposed location data of users

The flaw could have allowed threat actors to discover home addresses and track their movements in real-time

August 28, 2021 / 05:44 PM IST
The flaw was discovered by Robert Heaton, software engineer at Stripe

The flaw was discovered by Robert Heaton, software engineer at Stripe

Robert Heaton, a software engineer for payments and transactions company Stripe discovered a major flaw in the dating app Bumble that could have allowed threat actors to gain access to user location data.

This could have been used to look up addresses and even track user location. Heaton discussed the vulnerability in a blog post and the methods he used to test out a trilateration attack.

He ran a script that spoofed an API request to the app and returned a user's general location. Since Bumble doesn't track user location in real-time, the script assumes the app calculates the distance between two users and then rounds it up.

The script then keeps requesting the user location from the app till the threat actor finds a "flipping point." If the location of the target oscillated between 3 or 4 miles, one could infer that the location was 3.5 miles.

This process is repeated till the attacker finds three of these points after which precise triangulation of the target's location becomes possible.

Close

Heaton also managed to find a way to circumvent the premium access checks which require user's to pay a fee by spoofing signature checks.

The flaw was reported to Bumble and Heaton took home a bug bounty of $2,000. The vulnerability was also patched three days after Heaton reported the flaw.

Heaton used HackerOne to report the flaw to Bumble on 15th June and the fix was deployed on June 18. A full disclosure of the triangulation flaw was agreed upon and released on July 21.
Moneycontrol News
first published: Aug 28, 2021 05:44 pm
Sections
ISO 27001 - BSI Assurance Mark