The information at risk of theft due to API flaws included people’s pictures, locations, dating preferences and Facebook data
Security vulnerabilities in Bumble, one of today’s most popular dating apps, could have exposed the personal information of its entire, almost 100 million-strong user-base.
The bugs – which affected Bumble’s application programming interface (API) and stemmed from the dating service not verifying user requests server-side – was discovered by Sanjana Sarda and her team at Independent Security Evaluators. In addition to finding a way to bypass paying for Bumble Boost, the platform’s premium tier that gives users a host of advanced features, the researchers uncovered security loopholes that a potential attacker could exploit to steal data about all of its users.
The most worrying bug affected the app’s Unlimited Additional Filtering feature. Sarda and her team wrote a Proof-of-Concept script that enabled them to find users by sending unlimited requests to the server. The researchers were able to enumerate all Bumble users and retrieve a treasure trove of information about them. If a user accessed Bumble through their Facebook account, a cybercriminal would have been able to create a comprehensive picture about them by retrieving all of their interests and the pages they liked.
An attacker could potentially gain access to data, such as what kind of person the user is looking for, which could prove useful in creating a fake persona for a dating scam. Also, they’d have access to information users share on their profile such as height, religious beliefs and political leanings. The black hat could also find out people’s loc ..