Millions of Bumblers' personal information exposed in dating app security flaw

Attackers could steal names, pictures and even information on the kind of partner a Bumble user was seeking

Popular dating app Bumble says it has fixed a security vulnerability on its platform that could have allowed hackers to steal the personal data of millions of users.

No user data was compromised as a result of the flaw, the company claimed.

Researchers from cyber security firm Independent Security Evaluators (ISE) uncovered the flaw: a bug in the app's API, which tells the programme the correct way to access data from a device.

In a blog post, ISE security analyst Sanjana Sarda revealed that she reverse-engineered Bumble's API and discovered that many endpoints were processing requests without being checked by the server.

She also found that the API had not put any limits on the number of requests to stop an unauthorised individual from searching the server for information about users.

Sarda claimed that the vulnerability could allow an attacker to "dump Bumble's entire user-base, with basic user information and pictures, even if the attacker is an unverified user with a locked account."

For profiles connected to Facebook, attackers could exploit the vulnerability to gain access to more information, including images uploaded and the type of partner that a user was looking for.

The bug could also have enabled attackers to bypass payment on Bumble's premium features.

Sarda said that Bumble was notified about the vulnerability in March this year, but the company took more than six months to fix the issue.

"As of November 1, 2020, all the attacks mentioned in this blog still worked," Sarda said.

"When retesting for the following issues on November 11, 2020, certain issues had been partially mitigated."

According to Sarda, the app now uses a new encryption scheme and has stopped using sequential user IDs.

"This means that an attacker cannot dump Bumble's entire user base anymore using the attack".

However, Sarda said that an attacker "can still use the endpoint to obtain information such as Facebook likes, pictures, and other profile information such as dating interests."

"This still works for an unvalidated, locked-out user, so an attacker can make unlimited fake accounts to dump user data. However, attackers can only do this for encrypted IDs that they already have (which are made available for people near you). It is likely that Bumble will fix this too within the next few days."

A spokesperson for Bumble said that after being alerted to the issue, the company began "the multi-phase remediation process that included putting controls in place to protect all user data while the fix was being implemented."

"Bumble has had a long history of collaboration with HackerOne and it's bug bounty program as part of our overall cyber security practice, and this is another example of that partnership. After being alerted to the issue we then began the multi-phase remediation process that included putting controls in place to protect all user data while the fix was being implemented. The underlying user security related issue has been resolved and there was no user data compromised," Bumble spokesperson said.

HackerOne spokesperson stated: "Vulnerability disclosure is a vital part of any organization's security posture. Ensuring vulnerabilities are in the hands of the people that can fix them is essential to protecting critical information. Bumble has a history of collaboration with the hacker community through its bug bounty program on HackerOne. While the issue reported on HackerOne was resolved by Bumble's security team, the information disclosed to the public includes information far exceeding what was responsibly disclosed to them initially. Bumble's security team works around the clock to ensure all security-related issues are resolved swiftly and confirmed that no user data was compromised."