The information at risk of theft due to API flaws included people’s pictures, locations, dating preferences and Facebook data
Security vulnerabilities in Bumble, one of today’s most popular dating apps, could have exposed the personal information of its entire, almost 100 million-strong user-base.
The bugs – which affected Bumble’s application programming interface (API) and stemmed from the dating service not verifying user requests server-side – was discovered by Sanjana Sarda and her team at Independent Security Evaluators. In addition to finding a way to bypass paying for Bumble Boost, the platform’s premium tier that gives users a host of advanced features, the researchers uncovered security loopholes that a potential attacker could exploit to steal data about all of its users.
The most worrying bug affected the app’s Unlimited Additional Filtering feature. Sarda and her team wrote a Proof-of-Concept script that enabled them to find users by sending unlimited requests to the server. The researchers were able to enumerate all Bumble users and retrieve a treasure trove of information about them. If a user accessed Bumble through their Facebook account, a cybercriminal would have been able to create a comprehensive picture about them by retrieving all of their interests and the pages they liked.
An attacker could potentially gain access to data, such as what kind of person the user is looking for, which could prove useful in creating a fake persona for a dating scam. Also, they’d have access to information users share on their profile such as height, religious beliefs and political leanings. The black hat could also find out people’s locations and see whether they were online. Interestingly, the researchers were able to retrieve further user data even after Bumble locked down their account.
ADDITIONAL READING: When love becomes a nightmare: Online dating scams
The team also circumvented the limit of 100 right swipes within a 24-hour timeframe. “On further examination, the only check on the swipe limit is through the mobile front-end which means that there is no check on the actual API request. As there is no check on the web application front-end, using the web application instead of the mobile app implies that users won’t ever run out of swipes,” said Sarda.
The researchers also took a swing at the app’s popular Beeline feature. Using the developer console, they found a way to see all of users in a potential match feed. “What’s interesting to note, though, is that it also displays their vote and we can use this to differentiate between users who haven’t voted versus users who have swiped right,” Sarda said.
It took Bumble six months to plug (almost) all holes; on November 11th, Sarda and her team found that, in fact, there might be some more work to do. “An attacker can still use the endpoint to obtain information such as Facebook likes, pictures, and other profile information such as dating interests. This still works for an unvalidated, locked-out user, so an attacker can make unlimited fake accounts to dump user data,” said Sarda.
Bumble is expected to resolve the issues over the upcoming days.