Bumble Fixes Flaw Exposing Exact User Locations

An independent ‘white hat hacker’ has uncovered a vulnerability in Bumble’s application programming interface (API) which could have led to the exact location of users being exposed.

Robert Heaton, whose day job is as a software engineer at payments processor ‘Stripe’, also found a way to bypass Bumble’s paywall and avoid paying the $1.99 fee to see who has swiped right.

He used a variation of the trilateration technique, which has previously revealed the geolocation of Grindr and Tinder members.

However, Bumble had apparently learned from the mistakes of its competitors and calculated the exact distance between users on its servers before sending rounded figures to the app. 

Heaton instead created two fake profiles and slowly moved the attacker away until the rounded figure changed. After doing this three times he was able to carry out the trilateration process as usual.

The vulnerability was reported to Bumble on 15th June. The female first dating app deployed a fix just three days later and there was no evidence to suggest that any users were compromised.

Bumble rewarded Heaton with $2,000 for his work which was donated to the ‘Against Malaria Foundation’.

Read more here.