Bumble Left Daters' Location Data Up For Grabs For Over Six Months

Illustration for article titled Bumble Left Daters Location Data Up For Grabs For Over Six Months
Photo: Eric Baradat (Getty Images)

Bumble, the dating app behemoth that’s allegedly headed to a major IPO as soon as next year, apparently took over half a year to deal with major security flaws that left sensitive information its millions of users vulnerable.

Advertisement

That’s according to new research posted over the weekend by cybersecurity firm Independent Security Evaluators (ISE) detailing how a bad actor—even one that was banned from Bumble—could exploit a vulnerability in the app’s underlying code to pull the rough location data for any Bumbler within their city, as well as additional profile data like photos and religious views. Despite being informed about this vulnerability in mid-March, the company didn’t patch the issues until November 12—roughly six and a half months later.

Pre-patch, anyone with a Bumble account could query the app’s API in order to figure out roughly how many miles away any other user in their city happened to be. As the blog’s author, Sanjana Sarda, explained, if a certain creepy someone really wanted to figure out the location of a given Bumble user, it wouldn’t be too hard to set up a handful of accounts, figure out the user’s basic distance from each one, and use that collection of data to triangulate a Bumbler’s precise location.

Advertisement

Bumble isn’t the first company to accidentally leave this sort of data freely available. Last year, cybersecurity sleuths were able to create to glean precise locations of people using LGBT-centric dating apps like Grindr and Romeo and collate them into a user location map. And those location-data leaks are on top of the deliberate data sharing these sorts of dating apps typically already engage in with a bevy third-party partners. You would think that an app purporting to be a feminist haven like Bumble might extend its idea of user safety to its data practices.

While some of the issues described by Sarda have been resolved, the belated patch apparently didn’t tackle one of the other major API-based issues described in the blog, which allowed ISE to get unlimited swipes (or “votes” in Bumble parlance), along with access to other premium features like the ability to unswipe or to see who might have swiped right on them. Typically, accessing these features cost a given Bumbler roughly $10 dollars per week.

Correction 7:15pm ET, Nov. 16: Due to a communication error, we failed to reach out to Bumble for comment prior to publication. We have since given the company the opportunity to respond. We sincerely regret the error.

Update 11/17/2020, 10:18 a.m. ET: A Bumble spokesperson sent the following statement:

Bumble has had a long history of collaboration with HackerOne and its bug bounty program as part of our overall cyber security practice, and this is another example of that partnership. After being alerted to the issue we then began the multi-phase remediation process that included putting controls in place to protect all user data while the fix was being implemented. The underlying user security related issue has been resolved and there was no user data compromised.

Advertisement

I cover the business of data for Gizmodo. Send your worst tips to swodinsky@gizmodo.com.

Share This Story

Get our newsletter

DISCUSSION

light-emitting-diode
Light Emitting Diode

I don’t get why they’re not bucketing that kind of location data instead. Easier to compare and slightly anonymizes it.