Dating Site Bumble Leaves Swipes Unsecured for 100M Users
upstart writes in with an IRC submission:
Dating Site Bumble Leaves Swipes Unsecured for 100M Users:
Bumble fumble: An API bug exposed personal information of users like political leanings, astrological signs, education, and even height and weight, and their distance away in miles.
After a taking closer look at the code for popular dating site and app Bumble, where women typically initiate the conversation, Independent Security Evaluators researcher Sanjana Sarda found concerning API vulnerabilities. These not only allowed her to bypass paying for Bumble Boost premium services, but she also was able to access personal information for the platform's entire user base of nearly 100 million.
Sarda said these issues were easy to find and that the company's response to her report on the flaws shows that Bumble needs to take testing and vulnerability disclosure more seriously. HackerOne, the platform that hosts Bumble's bug-bounty and reporting process, said that the romance service actually has a solid history of collaborating with ethical hackers.
[...] She reverse-engineered Bumble's API and found several endpoints that were processing actions without being checked by the server. That meant that the limits on premium services, like the total number of positive "right" swipes per day allowed (swiping right means you're interested in the potential match), were simply bypassed by using Bumble's web application rather than the mobile version.
[...] On a more lighthearted note, Sarda also said that during her testing, she was able to see whether someone had been identified by Bumble as "hot" or not, but found something very curious.
"[I] still have not found anyone Bumble thinks is hot," she said.
Read more of this story at SoylentNews.