Bumble Takes Six Months to Fix Security Flaws Exposing User Locations

This article was updated on 17th November 2020 to include a statement from HackerOne.

Bumble has fixed security flaws that made it possible for hackers to find users’ exact locations, more than six months after they were first uncovered.

A team of researchers at the Independent Security Evaluators discovered that it was able to look at all of a member’s pictures and Facebook interests, even if they were using an account that had been blocked by the app. Furthemore, hackers could have used the ‘distance-from’ feature to find exact geolocations.

Bumble’s application programming interface (API) reportedly didn’t conduct the necessary checks or have limits to prevent repeated server probes.

Sanjana Sarda, security analyst at Independent Security Evaluators, explained to Forbes: “These issues are relatively simple to exploit, and sufficient testing would remove them from production. Likewise, fixing these issues should be relatively easy as potential fixes involve server-side request verification and rate-limiting.”

The social and dating app was made aware of the flaws midway through March, but did not complete the necessary fixes until November. It is believed that no user information was exploited by harmful hackers.

A spokesperson for Bumble told Forbes: “Bumble has had a long history of collaboration with [cyber-security firm] HackerOne and its bug bounty program as part of our overall cyber-security practice, and this is another example of that partnership. 

“After being alerted to the issue we then began the multi-phase remediation process that included putting controls in place to protect all user data while the fix was being implemented. The underlying user security related issue has been resolved and there was no user data compromised.”

In a statement to Global Dating Insights, a representative from HackerOne also added: “Vulnerability disclosure is a vital part of any organization’s security posture. Ensuring vulnerabilities are in the hands of the people that can fix them is essential to protecting critical information. Bumble has a history of collaboration with the hacker community through its bug bounty program on HackerOne.

“While the issue reported on HackerOne was resolved by Bumble’s security team, the information disclosed to the public includes information far exceeding what was responsibly disclosed to them initially. Bumble’s security team works around the clock to ensure all security-related issues are resolved swiftly and confirmed that no user data was compromised.”

Read more here.

Dominic Whitlock

Dominic is the Editor for Global Dating Insights. Originally from Devon, England he achieved a BA in English Language & Linguistics from The University of Reading. He enjoys a variety of sports and has a further passion for film and music.

Global Dating Insights is part of the Industry Insights Group. Registered in the UK. Company No: 14395769