Bumble fumble: Dude divines definitive location of dating app users despite disguised distances

Up until this year, dating app Bumble inadvertently provided a way to find the exact location of its internet lonely-hearts, much in the same way one could geo-locate Tinder users back in 2014.

In a blog post on Wednesday, Robert Heaton, a security engineer at payments biz Stripe, explained how he managed to bypass Bumble's defenses and implement a system for finding the precise location of Bumblers.

"Revealing the exact location of Bumble users presents a grave danger to their safety, so I have filed this report with a severity of 'High,'" he wrote in his bug report.

Tinder's past flaws explain how it's done

Heaton recounts how Tinder servers until 2014 sent the Tinder app the exact coordinates of a potential "match" – a prospective person to date – and the client-side code then calculated the distance between the match and the app user.

The problem was that a stalker could intercept the app's network traffic to determine the match's coordinates. Tinder responded by moving the distance calculation code to the server and sent only the distance, rounded to the nearest mile, to the app, not the map coordinates.

That fix was insufficient. The rounding operation happened within the app but the still server sent a number with 15 decimal places of precision.

{
  "user_id": 1234567890,
  "distance": 5.21398760815170,
  // ...etc...
}

While the client app never displayed that exact number, Heaton says it was accessible. In fact, Max Veytsman, a security consultant with Include Security back in 2014, was able to use the unnecessary precision to locate users via a technique called trilateralization, which is similar to, but not the same as, triangulation.

This involved querying the Tinder API from three different locations, each of which returned a precise distance. When each of those figures were converted into the radius of a circle, centered at each measurement point, the circles could be overlaid on a map to reveal a single point where they all intersected, the actual location of the target.

The fix for Tinder involved both calculating the distance to the matched person and rounding the distance on its servers, so the client never saw precise data. Bumble adopted this approach but evidently left room for bypassing its defenses.

Bumble's booboo

Heaton in his bug report explained that simple trilateralization was still possible with Bumble's rounded values but was only accurate to within a mile – hardly sufficient for stalking or other privacy intrusions. Undeterred, he hypothesized that Bumble's code was simply passing the exact distance to a function like math.round() and returning the result.

"This means that we can have our attacker slowly 'shuffle' around the vicinity of the victim, looking for the precise location where a victim's distance from us flips from (say) 1.0 miles to 2.0 miles," he explained.

"We can infer that this is the point at which the victim is exactly 1.0 miles from the attacker. We can find 3 such 'flipping points' (to within arbitrary precision, say 0.001 miles), and use them to perform trilateration as before."

Heaton subsequently determined the Bumble server code was using math.floor(), which returns the largest integer less than or equal to a given value, and that his shuffling technique worked.

• Backdoorer the Xplora: Kids' smartwatches can secretly take pics, record audio on command by encrypted texts
• Israeli spyware maker NSO channels Hollywood spy thrillers in appeal for legal immunity in WhatsApp battle
• American schools' phone apps send children's info to ad networks, analytics firms
• Restoring your privacy costs money, which makes it a marker of class

To repeatedly query the undocumented Bumble API required some additional effort, specifically defeating the signature-based request authentication scheme – more of an inconvenience to deter abuse than a security feature. This proved not to be too difficult because, as Heaton explained, Bumble's request header signatures are generated in JavaScript that's accessible in the Bumble web client, which also provides access to whatever secret keys are used.

From there it was a matter of: identifying the specific request header (X-Pingback) carrying the signature; de-minifying a condensed JavaScript file; determining that the signature generation code is simply an MD5 hash; and then figuring out that the signature passed to the server is an MD5 hash of the combination of the request body (the data sent to the Bumble API) and the obscure but not secret key contained within the JavaScript file.

After that, Heaton was able to make repeated requests to the Bumble API to test his location-finding scheme. Using a Python proof-of-concept script to query the API, he said it took about 10 seconds to locate a target. He reported his findings to Bumble on June 15, 2021.

On June 18, the company implemented a fix. While the specifics were not disclosed, Heaton proposed rounding the coordinates first to the nearest mile and then calculating a distance to be displayed through the app. On June 21, Bumble awarded Heaton a $2,000 bounty for his find.

Bumble did not immediately respond to a request for comment. ®