An API bug in popular dating sites Bumble exposed personal information of users which includes like political leanings, astrological signs, education, and even height and weight, and their distance away in miles. The bug is found by an independent Security Evaluators researcher Sanjana Sarda and she can able to access personal information for the platform’s entire user base of nearly 100 million.
APIs are an integral part of almost every application today. They enable integration with other systems, communication with databases and provide an interface for configuration of the application. As such, they should be frequently tested in detail. As we see here, the API provides access to the data the application uses.
The security researcher managed to bypass Bumble’s protections and accessed premium features, granting her access to Bumble’s users and personal user data. This security defect could not only have a negative impact on Bumble’s business, but could also affect its reputation and the confidence its users have in trusting the service with their personal data if it were leveraged by a malicious hacker. Thankfully an ethical hacker identified the issue and disclosed it responsibly to Bumble.
This is an issue that will continue to explode, thanks to the popular use of APIs among developers. This makes it easier for the bad actors of the world to benefit from the reuse of code to exploit programming flaws and other human errors, such as misconfigured access control and authentication processes.
API developers should be ready to accept the burden of ensuring their APIs are as free as possible from flaws that allow outsiders to take advantage of exploits like the Bumble exploit.
The vulnerabilities that Sarda found in Bumble could open users up to harassment, stalking, fraud, and other dangers. An attacker could triangulate a user\’s location and filter searches of the entire Bumble database by distance, interests, the type of people they are interested in, education, online status, height, and pretty much any other personal detail that a user enters into the app. Dating app users tend to publicly share far more information about themselves than they would on a typical social media app, so trust is key. Dating apps that want to retain users need to ensure their data is safe and private. Bumble was thankfully on HackerOne, so the vulnerabilities were probably discovered by Sarda before any malicious parties, but the company took far too long to respond and remediate the issues.