Bug Details“It took me approximately two days to find the initial vulnerabilities and about two more days to come up with a proofs-of- concept for further exploits based on the same vulnerabilities,” Sarda told Threatpost by email. “Although API issues are not as renowned as something like SQL injection, these issues can cause significant damage.” She reverse-engineered Bumble’s API and found several endpoints that were processing actions without being checked by the server. That meant that the limits on premium services, like the total number of positive “right” swipes per day allowed (swiping right means you’re interested in the potential match), were simply bypassed by using Bumble’s web application rather than the mobile version.
Bumble Boost is called The Beeline, which lets users see all the people who have swiped right on their profile. Here, Sarda explained that she used the Developer Console to find an endpoint that displayed every user in a potential match feed. From there, she was able to figure out the codes for those who swiped right and those who didn’t. But beyond premium services, the API also let Sarda access the “server_get_user” endpoint and enumerate Bumble’s worldwide users. She was even able to retrieve users’ Facebook data and the “wish” data from Bumble, which tells you the type of match their searching for. The “profile” fields were also accessible, which contain personal information like political leanings, astrological signs, education, and even height and weight.
She reported that the vulnerability could also allow an attacker to figure out if a given user has the mobile app installed and if they are from the same city, and worryingly, their distance away in miles.“This is a breach of user privacy as specific users can be targeted, user data can be commodified or used as training sets for facial machine-learning models, and attackers can use triangulation to detect a specific user’s general whereabouts,” Sarda said. “Revealing a user’s sexual orientation and other profile information can also have real-life consequences.”
On a more lighthearted note, Sarda also said that during her testing, she was able to see whether someone had been identified by Bumble as “hot” or not, but found something very curious.
“[I] still have not found anyone Bumble thinks is hot,” she said.
Reporting the API Vuln
Sarda said she and her team at ISE reported their findings privately to Bumble to attempt to mitigate the vulnerabilities prior to going public with their research.
“After 225 days of silence from the company, we moved on to the plan of publishing the research,” Sarda told Threatpost by email. “Only once we started talking about publishing, we received an email from HackerOne on 11/11/20 about how ‘Bumble are keen to avoid any details being disclosed to the press.'”
HackerOne then moved to resolve some the issues, Sarda said, but not all of them. Sarda found when she re-tested that Bumble no longer uses sequential user IDs and updated its encryption.
“This means that I cannot dump Bumble’s entire user base anymore,” she said.
In addition, the API request that at one time gave distance in miles to another user is no longer working. However, access to other information from Facebook is still available. Sarda said she expects Bumble will fix those issues to in the coming days.
“We saw that the HackerOne report #834930 was resolved (4.3 – medium severity) and Bumble offered a $500 bounty,” she said. “We did not accept this bounty since our goal is to help Bumble completely resolve all their issues by conducting mitigation testing.”
Sarda explained that she retested in Nov. 1 and all of the issues were still in place. As of Nov. 11, “certain issues had been partially mitigated.” She added that this indicates Bumble wasn’t responsive enough through their vulnerability disclosure program (VDP).
Not so, according to HackerOne.
“Vulnerability disclosure is a vital part of any organization’s security posture,” HackerOne told Threatpost in an email. “Ensuring vulnerabilities are in the hands of the people that can fix them is essential to protecting critical information. Bumble has a history of collaboration with the hacker community through its bug-bounty program on HackerOne. While the issue reported on HackerOne was resolved by Bumble’s security team, the information disclosed to the public includes information far exceeding what was responsibly disclosed to them initially. Bumble’s security team works around the clock to ensure all security-related issues are resolved swiftly, and confirmed that no user data was compromised.”
Threatpost reached out to Bumble for further comment.
Managing API VulnsAPIs are an overlooked attack vector, and are increasingly being used by developers, according to Jason Kent, hacker-in-residence for Cequence Security. “API use has exploded for both developers and bad actors,” Kent said via email. “The same developer benefits of speed and flexibility are leveraged to execute an attack resulting in fraud and data loss. In many cases, the root cause of the incident is human error, such as verbose error messages or improperly configured access control and authentication. The list goes on.”
Kent added that the onus is on security teams and API centers of excellence to figure out how to improve their security.
And indeed, Bumble isn’t alone. Similar dating apps like OKCupid and Match have also had issues with data privacy vulnerabilities in the past.Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.