Bumble , the dating app behemoth that ’s allegedly headed to a major IPO as soon asnext class , apparently took over half a year to deal with major surety flaw that bequeath sensible information its gazillion of users vulnerable .
That ’s concord tonew researchposted over the weekend by cybersecurity firm Independent Security Evaluators ( ISE ) detail how a forged actor — even one that was banned from Bumble — could exploit a vulnerability in the app ’s underlying code to pull up the rough fix data for any Bumbler within their city , as well as additional profile data like photos and spiritual views . Despite being informed about this vulnerability in mid - March , the ship’s company did n’t piece the matter until November 12 — some six and a half months later .
Pre - while , anyone with a Bumble account could question the app ’s API so as to figure out roughly how many mi away any other user in their urban center fall out to be . As the blog ’s source , Sanjana Sarda , explain , if a certain creepy-crawly someone really wanted to figure out the fix of a given Bumble user , it would n’t be too strong to define up a handful of history , figure out the drug user ’s basic distance from each one , and use that collection of data to triangulate a Bumbler ’s accurate location .
Photo: Eric Baradat (Getty Images)
Bumble is n’t the first companionship to accidentally leave this sorting of data freely available . Last yr , cybersecurity sleuths were capable to create to glean exact locations of people using LGBT - centric go out apps like Grindr and Romeo and collate them into auser position map . And those location - data point leaks are on top of the careful data sharing these sort of dating apps typicallyalready engage inwith a bevy third - party partner . You would think that an app propose to be afeminist havenlike Bumble might stretch its idea of drug user guard to its datum practice .
While some of the issues key by Sarda have been purpose , the belated patch plainly did n’t tackle one of the other major API - based subject described in the web log , which appropriate ISE to get limitless swipe ( or “ votes ” in Bumble parlance ) , along with access to other premium characteristic like the ability to unswipe or to see who might have swiped right on them . Typically , accessing these feature film cost a give Bumbler around $ 10 dollars per calendar week .
Correction 7:15pm ET , Nov. 16 : Due to a communication computer error , we neglect to reach out to Bumble for remark prior to issue . We have since given the company the chance to react . We sincerely yours repent the error .
Update 2025-03-07 , 10:18 a.m. ET : A Bumble voice send the following program line :
Bumble has had a farsighted history of coaction with HackerOne and its microbe bounty programme as part of our overall cyber certificate practice , and this is another example of that partnership . After being alarm to the issue we then get down the multi - phase remediation process that include putting control in position to protect all user data while the fixing was being follow through . The underlying exploiter security related way out has been resolved and there was no user data compromised .
BumbleDating appsPrivacySecurity
Daily Newsletter
Get the best technical school , skill , and civilisation news in your inbox daily .
tidings from the future , fork up to your nowadays .
You May Also Like
