A security vulnerability in popular dating app Bumble could have enabled attackers to pinpoint other users’ precise location. Using fake Bumble profiles, security researcher Robert Heaton fashioned and executed a ‘trilateration’ attack that determined an imagined victim’s specific location.
Though Bumble tells its users how far away they are from each other, the vulnerability could allow an attacker to see precisely where the user lives and where they are at the moment.
In a blog post, Heaton outlined how an attacker would exploit the vulnerability after developing and running a trilateration attack test.
Heaton reported the vulnerability to Bumble, who then quickly deployed a fix and added controls to prevent matching with or viewing users outside of a user’s match queue.
“Vulnerabilities are inevitable in any software - especially mobile apps where delivering innovative new functionality more quickly than your competition can be a game-changer,” says Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based endpoint-to-cloud security company.
“From a consumer standpoint, you don’t want to hear that a dating app has a location-related vulnerability. However, the speed and efficiency at which Bumble was able to push an update that fixed this issue show the advantage of cloud-delivered services that can quickly push fixes out to users before any damage is done. If the user has automatic app updates turned on, which most people do at this point, then the fix was delivered without the user even knowing, and they can continue using a safer version of the app,” Schless adds.
The incident sheds light on how important it is for enterprise organizations to understand if any vulnerable app versions exist in their mobile fleet, Schless explains. “Any vulnerability, regardless of the capability it gives an attacker who successfully exploits it, poses a risk to the overall enterprise security posture. This can get very tricky - especially in a bring-your-own-device (BYOD) scenario where employees will inevitably have highly personal apps, like Bumble, on their device and admins want to provide security without violating employee privacy.”
In addition to vulnerable app versions, security administrators also need to ensure that mobile apps don’t have far-reaching permissions that could pose risks, Schless says. “While many app permissions, such as access to the camera or your contacts, may seem innocuous from a personal standpoint, they could pose a risk from an enterprise perspective where data privacy laws like GDPR and CCPA are king.”
Schless suggests that organizations should leverage a mobile security solution that strikes a balance between security and privacy to mitigate the risk of vulnerable apps or risky permissions. “This means the solution can provide enough visibility to build policies based on app versions and permissions, but not so much that admins can see the apps causing the violations. This preserves employee privacy while also strengthening the overall security and compliance posture of the organization.”