How sweet it sounds when someone tells you that there’s an app which allows you to register yourself and create meaningful relationships, find friends and do a lot more socially. In an online world, people usually consider getting an app such as Bumble to make such interactions a whole lot easier.
However, in recent times, security vulnerabilities in Bumble app has led security analysts into a mind-boggling situation where they realized that the bugs could’ve exposed personal information of more than millions of individuals who were on the app.
How the Bug Was Identified?
The bug was recently identified by Sanjana Sarda and her team operating through Independent Security Evaluators. It was found in the app’s API and the problem usually arose because the app was not verifying user-request from the server-side. So if a user coming from a cheap dedicated server or a cloud server signed up on the app, they were more likely at the risk of getting exposed.
The team identified the bug when they somehow got around bypassing the Bumble Boost feature which provides premium access to users for using advanced features, the researchers found the security loophole through which a potential hacker can easily steal information from its users.
As Sanjana and her team realized the possibility of someone bypassing the platform’s checks, a bit of more exploration led them to find a way to retrieve all the information from its Bumble users.
In case, if a person was able to log into the server through Facebook platform, the hacker could easily retrieve all the data related to their activities on Facebook. The hacker could easily get insight on a number of factors such as what kind of person the user is looking for so they can create a fake profile and exploit other users on the dating app. Besides, the hacker can also have access to sensitive information such as what is the height of the person, the weight, the religious beliefs, political affluences, and other personal details. Even if an account on Bumble goes dormant, the person can still easily find different people’s locations and check whether they are online/offline or not.
In fact, the extent of exploitation was to such an extent that researchers were easily able to retrieve further user information even when the Bumble platform locked down their personal accounts.
The team also concluded that there was a limit to right swipes. Like if a person signed up on Bumble, they could only right swipe 100 people in a 24-hour period. As Sarda explains,
“On further examination, the only check on the swipe limit is through the mobile front-end which means that there is no check on the actual API request. As there is no check on the web application front-end, using the web application instead of the mobile app implies that users won’t ever run out of swipes,”
As far as the exploitation was concerned, the security professionals took a swing at the app’s Beeline feature. Through the developer console, they were able to access all of the information.
“What’s interesting to note, though, is that it also displays their vote and we can use this to differentiate between users who haven’t voted versus users who have swiped right,”
After the bugs were identified and reported, Bumble took at least 6 months to fix the bug in its dating app. On the 11th of November, again Sarda performed her research & her team concluded that there’s still a possible chance of improvement. Her team found out that there’s still room for improvement.
In her closing statement, Sarda explains,
“An attacker can still use the endpoint to obtain information such as Facebook likes, pictures, and other profile information such as dating interests. This still works for an unvalidated, locked-out user, so an attacker can make unlimited fake accounts to dump user data,”
Bumble is a good dating app but it has its limitations. And with its security concerns on the brink, people are now more cautious when using the app. While the backend team at Bumble is taking every possible measure to resolve the issue, security teams such as Sarda are taking every possible measure to invalidate the threat. Have you learned something new? Feel free to share it.