Popular dating app Bumble leaked users' exact location

A software engineer at payments processor Stripe found a vulnerability in dating app Bumble that could be used to discern the exact location of users, potentially putting users at risk.

Credit: Robert Heaton

By learning how Bumble's application programming interface (API) works, software engineer Robert Heaton found a way to pinpoint users' exact location, bypassing the safeguards in the app designed to prevent this.

Heaton used two fake Bumble profiles, one for the attacker and one for the victim.

He was able to bypass signature checks for API requests which got him around Bumble's paywall.

Being able to send arbitrary requests to Bumble's API allowed Heaton to work out how the app calculated and presented matching users' approximate locations by rounding down the exact distance they are from each other.

With that information, Heaton was able to devise a trilateration attack, which in a similar fashion to triangulation would reveal the location of the victim Bumble user.

Heaton reported the vulnerability to Bumble via bug bounty site HackerOne.

A fix was deployed within 72 hours, and Heaton was awarded US$2000, which he donated to charity.

“This is the second serious vulnerability in Bumble in recent times.

In November last year, researchers at Independent Security Evaluators discovered that it was not only possible to bypass paying for the Bumble Boost premium features, but also to dump all the dating app’s user information including pictures.” 

Bumble has around 100 million users worldwide, and was created by Tinder co-founder Whitney Wolfe Herd and the founder of social network Badoo, Andrey Andreev.