Bumble is one of the popular dating sites used globally. With the growing popularity, it has also set up interest among cybercriminals. Recently, security vulnerability has been noticed in the platform which could lead to data risks for around 100 million users.
Sanjana Sarda and her team members at Independent Security Evaluators discovered that the bugs which have affected Bumble's API and come out from the service, not verifying the user requests from the server.
As per the research team,
"an attacker can dump Bumble’s entire user-base with basic user information and pictures even if the attacker is an unverified user with a locked account."
Moreover, to find a way to bypass the payment for the premium feature, "Bumble boost", the evaluators find several loopholes that a cybercriminal could exploit to steal the users' data. With the way to bypass the platform's security and features, it becomes an easy task to access users' information and retrieves other information about them.
Besides, if a user had logged in to the app using its Facebook credentials, the cybercriminal would be able to steal the information based on its activities on the social media platform such as Facebook likes images and dating interest information.
Interestingly, Bumble was informed about the vulnerabilities in March. However, on evaluation in early November, none of the flaws were patched. On November 11th, the company was found with a few issues fixed. Further, Bumble informed that the security-related fixes have been done and there is no compromise with the data of the users.
The researchers confirmed that,
"Bumble is no longer using sequential user ids and has updated its previous encryption scheme. This means that an attacker cannot dump Bumble’s entire user base anymore using the attack as described here. The API request does not provide distance in miles anymore — so tracking location via triangulation is no longer a possibility using this endpoint’s data response,"
As per the overall investigation, it is clear that after the recent fixes, the attackers can now only access the encrypted IDs which they already have.
Positively, it is expected that the remaining vulnerabilities will be fixed soon!
Stay tuned with ISOEH (Indian School of Ethical Hacking) for cyber security trends and industry updates.
We help individuals and groups to build a fascinating career in cyber security and serve society.