Popular data exchange app 'Bump' suffers security lapse

Bump Technologies, maker of the popular data exchange application 'Bump', said it has corrected a problem that could have exposed users' information. 

Bump, available for Google's Android and Apple's iPhone, iPod Touch and iPad devices, allows users to share contact information, photos and other data by simply tapping two devices together.

The app was sending private information in the clear, despite the company's claim that it uses secure protocols to transfer information, M.J. Keith, a security researcher with security and compliance solutions provider Alert Logic, told SCMagazineUS.com.

Because the data was not encrypted, an attacker could have used a packet analyser to read any data that one user transmitted to another, he said.

David Lieb, co-founder and CEO of Bump Technologies, told SCMagazineUS.com in an email that Alert Logic was correct in saying that traffic from some Bump users was being sent over HTTP, instead of HTTPS.

The company has fixed the issue, he said.

“This temporary lapse was a result of a switchover to a new back-end infrastructure,” he said. “We certainly had no intention of deceiving users.”

The app, launched last year, has been downloaded 10 million times, according to reports.

“As a Bump user, this does not sit well with me,” Keith wrote in a blog post. “Rather than taking the time to implement something remotely resembling real security, they just lied and hoped no one would notice. That is unethical, and Bump users have a right to know that.”

On its website, Bump says all communications between users' phones and its servers are encrypted using HTTPS.

“When we built Bump, our No.1 one priority was creating the best possible user experience we could,” the website states. “Security of your personal information is a huge part of that experience.”

However, Keith confirmed that Bump for iPhone and Android was transferring data in clear text. He went public with the security issue last week at the HouSecCon conference in Houston, before notifying Bump Technologies about the problem.

“I could have contacted the company explaining the issue, but since they wrote the app, I am sure they already know how it works,” he wrote. “That would have just given them an opportunity to avoid accountability for clearly unethical marketing."

Lieb said that Bump Technologies appreciates that Alert Logic detected the security lapse, but wished researchers had contacted Bump directly so they could have fixed the vulnerability before it was known publicly.

Keith warned that there are many other smartphone applications that are not secure and can expose users' sensitive data.

“The majority of apps are incredibly insecure and don't use any form of encryption,” he said.

See original article on scmagazineus.com