3 min read

How the Bumble dating app revealed any user's exact location

Graham CLULEY

September 02, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
How the Bumble dating app revealed any user's exact location

Hundreds of millions of people around the world use dating apps in their attempt to find that special someone, but they would be shocked to hear just how easy one security researcher found it to pinpoint a user's precise location with Bumble.

Robert Heaton, whose day job is to be a software engineer at payments processing firm Stripe, discovered a serious vulnerability in the popular Bumble dating app that could allow users to determine another's whereabouts with petrifying accuracy.

Like other dating apps, Bumble displays the approximate geographic distance between a user and their matches.

You might not think that knowing your distance from someone could reveal their whereabouts, but then maybe you don't know about trilateration.

Trilateration is a method of determining an exact location, by measuring a target's distance from three different points.  If someone knew your precise distance from three locations, they could simply draw a circles from those points using that distance as a radius - and where the circles intersected is where they would find you.

All a stalker would have to do is create three fake profiles, position them at different locations, and see how distant they were from their intended target - right?

Well, yes.  But Bumble clearly recognised this risk, and so only displayed approximate distances between matched users (2 miles, for instance, rather than 2.12345 miles.)

What Heaton discovered, however, was a method by which he could still get Bumble to cough up enough information to reveal one user's precise distance from another.

Using an automated script, Heaton was able to make multiple requests to Bumble's servers, that repeatedly relocated the location of a fake profile under his control, before asking for its distance from the intended victim.

Heaton explained that by noting when the approximate distance returned by Bumble's servers changed it was possible to infer a precise distance:

“If an attacker (i.e. us) can find the point at which the reported distance to a user flips from, say, 3 miles to 4 miles, the attacker can infer that this is the point at which their victim is exactly 3.5 miles away from them."

"3.49999 miles rounds down to 3 miles, 3.50000 rounds up to 4. The attacker can find these flipping points by spoofing a location request that puts them in roughly the vicinity of their victim, then slowly shuffling their position in a constant direction, at each point asking Bumble how far away their victim is. When the reported distance changes from (say) 3 to 4 miles, they’ve found a flipping point. If the attacker can find 3 different flipping points then they’ve once again got 3 exact distances to their victim and can perform precise trilateration."

In his tests, Heaton found that Bumble was actually "rounding down" or "flooring" its distances which meant that a distance of, for instance, 3.99999 miles would actually be displayed as approximately 3 miles rather than 4 - but that didn't stop his methodology from successfully determining a user's location after a minor edit to his script.

Heaton reported the vulnerability responsibly, and was rewarded with a $2000 bug bounty for his efforts.  Bumble is said to have fixed the flaw within 72 hours, as well as another issue Heaton uncovered which allowed Heaton to access information about dating profiles that should have only been accessible after paying a $1.99 fee.

Heaton advises that dating apps would be wise to round users' locations to the nearest 0.1 degree or so of longitude and latitude before calculating the distance between them, or even only ever record a user's approximate location in the first place.

As he explains, "You can't accidentally expose information that you don't collect."

Of course, there might be commercial reasons why dating apps want to know your precise location - but that's probably a topic for another article.

Stay safe folks.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Why you should scrutinize shipping confirmation emails this holiday season Why you should scrutinize shipping confirmation emails this holiday season
Alina BÎZGĂ

November 25, 2021

2 min read
Phishing Emails Lure Black Friday Shoppers with Fake Best Buy, Kohl’s and Ace Hardware Gift Card Giveaways Phishing Emails Lure Black Friday Shoppers with Fake Best Buy, Kohl’s and Ace Hardware Gift Card Giveaways
Alina BÎZGĂ

November 24, 2021

2 min read
Spammers use holiday scams to con shoppers out of data and money Spammers use holiday scams to con shoppers out of data and money
Alina BÎZGĂ

November 23, 2021

8 min read