Privacy Experts On API Bug On Dating Site Bumble Exposed Personal Information Of 100M Users

An API bug in popular dating sites Bumble exposed personal information of users which includes like political leanings, astrological signs, education, and even height and weight, and their distance away in miles. The bug is found by an independent Security Evaluators researcher Sanjana Sarda and she can able to access personal information for the platform’s entire user base of nearly 100 million.

Experts Comments

November 18, 2020
Paul Bischoff
Privacy Advocate
Comparitech
The vulnerabilities that Sarda found in Bumble could open users up to harassment, stalking, fraud, and other dangers. An attacker could triangulate a user's location and filter searches of the entire Bumble database by distance, interests, the type of people they are interested in, education, online status, height, and pretty much any other personal detail that a user enters into the app. Dating app users tend to publicly share far more information about themselves than they would on a typical.....Read More
The vulnerabilities that Sarda found in Bumble could open users up to harassment, stalking, fraud, and other dangers. An attacker could triangulate a user's location and filter searches of the entire Bumble database by distance, interests, the type of people they are interested in, education, online status, height, and pretty much any other personal detail that a user enters into the app. Dating app users tend to publicly share far more information about themselves than they would on a typical social media app, so trust is key. Dating apps that want to retain users need to ensure their data is safe and private. Bumble was thankfully on HackerOne, so the vulnerabilities were probably discovered by Sarda before any malicious parties, but the company took far too long to respond and remediate the issues.  Read Less
November 18, 2020
Boris Cipot
Senior Sales Engineer
Synopsys
APIs are an integral part of almost every application today. They enable integration with other systems, communication with databases and provide an interface for configuration of the application. As such, they should be frequently tested in detail. As we see here, the API provides access to the data the application uses. The security researcher managed to bypass Bumble’s protections and accessed premium features, granting her access to Bumble’s users and personal user data. This security.....Read More
APIs are an integral part of almost every application today. They enable integration with other systems, communication with databases and provide an interface for configuration of the application. As such, they should be frequently tested in detail. As we see here, the API provides access to the data the application uses. The security researcher managed to bypass Bumble’s protections and accessed premium features, granting her access to Bumble’s users and personal user data. This security defect could not only have a negative impact on Bumble’s business, but could also affect its reputation and the confidence its users have in trusting the service with their personal data if it were leveraged by a malicious hacker. Thankfully an ethical hacker identified the issue and disclosed it responsibly to Bumble.  Read Less
November 18, 2020
Chris Hauk
Consumer Privacy Champion
Pixel Privacy
This is an issue that will continue to explode, thanks to the popular use of APIs among developers. This makes it easier for the bad actors of the world to benefit from the reuse of code to exploit programming flaws and other human errors, such as misconfigured access control and authentication processes. API developers should be ready to accept the burden of ensuring their APIs are as free as possible from flaws that allow outsiders to take advantage of exploits like the Bumble exploit.
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Share on facebook
Share on twitter
Share on linkedin

Recent Posts

Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics

Twitter Facebook-f Linkedin Youtube

Working With Us

The Pages

Our Contributing Experts