1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Security hole in dating app Bumble exposed user location data

    From TechnologyDaily@1337:1/100 to All on Sat Aug 28 00:45:04 2021
    Security hole in dating app Bumble exposed user location data

    Date:
    Fri, 27 Aug 2021 23:30:58 +0000

    Description:
    Bumble has patched a vulnerability that made it possible for an attacker to pinpoint the precise location of other users.

    FULL STORY ======================================================================

    A security researcher has discovered a vulnerability in the popular dating
    app Bumble that could have allowed an attacker to pinpoint the precise location of other users of the service.

    Robert Heaton, who works as a software engineer at the payments company
    Stripe , discovered the vulnerability in the dating app and then proceeded to develop and execute a 'trilateration' attack to test his findings which he's detailed in a new blog post .

    If the vulnerability discovered by Heaton were to be exploited by an
    attacker, they could use Bubmle's app and service to discover a victims home address as well as track their movements in the real world to some degree. However, as Bumble doesn't update the location of its users all that often in its app, it wouldn't provide an attacker with a live feed of a victim's location, just a general idea. We've assembled a list of the best password managers These are the best security keys on the market Also check out our roundup of the best privacy apps

    Bumble users don't need to be worried though as Heaton reported his findings to the company via HackerOne after which it patched the vulnerability just three days later. For his efforts, Heaton received a bug bounty payment to
    the tune of $2,000. Tracking a Bumble user's location

    During his research regarding location tracking in Bumble, Heaton created an automated script that sent a sequence of requests to the company's servers. These requests repeatedly relocated the 'attacker' before requesting the distance to the victim.

    According to Heaton, if an attacker can find the point at which the reported distance of another Bumble user flips from 3 miles to 4 miles, they can then infer that this is the point at which their victim is exactly 3.5 miles away from them. After finding these so-called flipping points the attacker would then have three exact distances to their victim which would make precise triangulation possible.

    Additionally, Heaton managed to to spoof 'swipe yes' requests in the Bumble app on anyone who also declared an interest to a profile without paying a $1.99 fee by circumventing signature checks for API requests.

    Bumble has since fixed the vulnerability discovered by Heaton but single people that frequently use online dating apps should also consider installing a VPN on their smartphones to avoid unwanted tracking online and in this
    case, in the real world. We've also featured the best identity theft protection

    Via The Daily Swig



    ======================================================================
    Link to news story: https://www.techradar.com/news/security-hole-in-dating-app-bumble-exposed-user -location-data/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)