Popular dating website Bumble reportedly suffered from a wonky application programming interface (API) bug, leaving approximately 100 million daters and users alike to become vulnerable. According to Threat Post, the security flaws in question were left unpatched by the company for over six months.
In an article by Forbes on Sunday, November 15, 2020, the business magazine cited the report released by the Independent Security Evaluators (ISE). The San Diego-based security researchers reportedly found that despite being banned from the site, malicious hackers could still gain access to the information of Bumble users and daters.
Apart from this, the report also made it clear that threat actors could acquire the identities of daters using the app. If the app was connected to a user’s Facebook account, the security researchers found that they could also see the interests or pages a person may have liked, notes Forbes.
The security researchers also said that the vulnerabilities would have allowed hackers to steal photos uploaded onto the app as well as determine the type of individual a user wants to date or match with. Location settings may also prove vulnerable to the user with the said bug.
Hackers may also gain access to premium features on Bumble, such as getting unlimited votes and advanced filtering.
Sanjana Sarda, a security researcher from the ISE, found that the API of Bumble failed to hold the necessary checks required, thereby failing to protect the users from being exploited by malicious accounts.
Moreover, Threat Post states that Sarda also found that the “wish” data from Bumble could be retrieved, with profiles containing various information. These include the user’s personal information, political leanings and affiliations, height, weight, education, and even astrological signs.
Of this, Sarda said that “this is a breach of user privacy as specific users can be targeted, user data can be commodified or used as training sets for facial machine-learning models, and attackers can use triangulation to detect a specific user’s general whereabouts.”
In a statement by Bumble to Forbes, it said that “After being alerted to the issue we then began the multi-phase remediation process that included putting controls in place to protect all user data while the fix was being implemented. The underlying user security-related issue has been resolved and there was no user data compromised.”
Its relationship with HackerOne allowed it to proceed with the said fix, albeit half a year later. Forbes revealed that Sarda initially disclosed the API vulnerability back in March.
Upon checking, more than 200 days of being exposed, Sarda said in her blog post that the issue was still active on November 1, 2020. It only started to find a fix for the bug earlier this month.