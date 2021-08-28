The popular dating application Bumble has come under a security watch as a researcher has discovered a way to track the location of other users of the application. This vulnerability could have allowed a hacker or attacker to misuse the information of users of the Bumble dating app. The security researcher who discovered the issue is Robert Heaton, who works at Stripe. He conducted some tests, reported his findings and was also rewarded a bug bounty of $2,000. Keep reading to know more about the Bumble user location vulnerability issue.

Bumble dating app location vulnerability detected by a security researcher

In the latest Bumble app security issue detected by security researcher Robert Heaton, it was found that the user's home address and location were at risk. The researcher developed and run a trilateration attack test and published his findings in a blog post. Heaton developed an automated code that sent multiple requests to Bumble's servers. However, these requests relocated the attacker before the distance to the victim was requested. According to the report published by the researcher, if an attacker finds the point where the reported distance of a Dumble dating app user flips from 3 miles to 4 miles, the attacker can infer that the victim is 3.5 miles away.

As mentioned in Heaton's report, here are some key points

Bumble floors distances, which means that everything is always rounded down. 3.0001, 3.4999, and 3.9999 all round down to 3; 4.0001 rounds down to 4.

. There would be no way that a future vulnerability could expose a user’s exact location via trilateration since the distance calculations won’t even have access to any exact locations.

The issue was reported to Bumble via HackerOne on June 15, 2021, and Bumble deployed a fix to the issue on June 18, 2021.

The vulnerability would not provide an attacker with the live location of a user. As Bumble itself does not update the location of its users in the application, the attacker would have been able to track some movements of the user only. However, users need not worry now as the vulnerability was patched a few days after it was reported. The security research, Robert Heaton also received a bounty worth $2,000. Additionally,