Dating app Bumble has been found to have a vulnerability that could have allowed an attacker to find the precise location of other users. The vulnerability was found by security researcher Robert Heaton, who works as a software engineer at the payments company named Stripe. Upon finding the vulnerability, Heaton even developed and executed an attack to test his findings. In a blog post, Heaton indicated that the vulnerability, if exploited by an attacker, could use Bumble?s app and service to discover a user?s home address as well as track their movements in the real world to some degree. Heaton reported his findings to Bumble, after which it was patched just three days later. Heaton even received a bug bounty bonus of $2,000 (roughly Rs 1,47,000) for his finding.
Now, since Bumble doesn?t update the location of its users that often in its app, it wouldn?t have provided an attacker with a live feed of a user?s location, just gave a rough idea. Heaton, to find the vulnerability, created an automated script that sent a sequence of requests to the company?s to the company?s servers. These requests repeatedly relocated the attacker before requesting the distance to the victim. If an attacker can find the point at which the reported distance of another Bumble user flips from 3 miles to 4 miles, they can infer that this is the point at which their victim is exactly 3.5 miles away from them.
Heaton also managed to spoof ?swipe yes? requests in the Bumble app on anyone who also declared an interest to a profile without paying a $1.99 fee by circumventing signature checks for API requests.
Read all the Latest News, Breaking News and Assembly Elections Live Updates here.
Comments
0 comment