Bumble security flaw left users' location data, profile pictures exposed for over six months

Bumble was informed about the flaw in March, however, as of 11 November, only a few issues were found to be mitigated.

Update: At 8.43 am on 18 November, this article has been updated to include an official statement from Bumble.

A security flaw on dating app Bumble has reportedly left location and other profile data of many users for over last six months. This was reported by cybersecurity firm Independent Security Evaluators (ISE), that claims that due to the vulnerability on the platform, "an attacker can dump Bumble’s entire user-base with basic user information and pictures even if the attacker is an unverified user with a locked account." Researchers also found that a vulnerability on the platform allowed attackers to bypass payment on Bumble’s premium features.

Bumble was informed about the flaw in March, however, as of 1 November, none of the issues were patched. Upon retesting on 11 November, only a few issues were found to be mitigated. Bumble, however, says that the "security-related issue has been resolved and there was no user data compromised."



"Bumble is no longer using sequential user ids and has updated its previous encryption scheme. This means that an attacker cannot dump Bumble’s entire user base anymore using the attack as described here. The API request does not provide distance in miles anymore — so tracking location via triangulation is no longer a possibility using this endpoint’s data response," the researchers confirm.

tech2 reached out to Bumble to know more about the vulnerability. A Bumble spokesperson said in a statement:

"Bumble has had a long history of collaboration with HackerOne and it’s bug bounty program as part of our overall cybersecurity practice, and this is another example of that partnership. After being alerted to the issue we then began the multi-phase remediation process that included putting controls in place to protect all user data while the fix was being implemented. The underlying user security-related issue has been resolved and there was no user data compromised."

However, the cybersecurity firm found, an attacker can still use the endpoint to obtain information such as Facebook likes, pictures, and other profile information such as dating interests. A locked-out user can still access all this information.

Notably, the researchers make it clear, that after a few issues were mitigated, attackers can now only do this for encrypted IDs they already have.

Considering the other security flaws were recently fixed, Bumble is expected to fix the other security issues soon, as well.

Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.