Despite claims of safety and security, dating apps can expose users to security threats. Users of popular dating app Bumble could have found their location data leaked with a cyberattack. Thankfully, a white hat hacker prevented that outcome.
Robert Heaton, a software engineer working for payment company Stripe, was rewarded $2,000 for his efforts after he stumbled upon a vulnerability issue on Bumble. Heaton submitted his findings proving an attacker could pinpoint the precise location of other users who use the dating app. The bug was fixed within 72 hours of reporting.
The exploit was discovered after Heaton developed and executed a “trilateration attack” to test his findings. In his blog post, Heaton explained how he managed to find the vulnerability by creating an automated script that sent numerous requests to the company’s servers. These requests repeatedly relocated the “attacker” before requesting the distance of a potential victim.
“If an attacker can find the point at which the reported distance to a user flips from, say, 3 miles to 4 miles, the attacker can infer that this is the point at which their victim is exactly 3.5 miles away from them,” he wrote. Once the attacker finds three “flipping points” they would have the three exact distances to their victim required to execute precise trilateration.
Apart from this bug, the software engineer managed to spoof ‘swipe yes’ requests in the Bumble app without paying the $1.99 fee as well. He made it possible by bypassing the signature checks for API requests.
Finding and fixing vulnerabilities or bugs is a big game when it comes to dating apps. Tinder in 2013 had a similar issue in regard to the trilateration that was later fixed. In 2015, researchers from Synack had also found vulnerability issues in other dating apps. They discovered users' location by using trigonometry to fix distances.