Dating Site Bumble Leaves Swipes Unsecured for 100M Users:
Bumble fumble: An API bug exposed personal information of users like political leanings, astrological signs, education, and even height and weight, and their distance away in miles.
After a taking closer look at the code for popular dating site and app Bumble, where women typically initiate the conversation, Independent Security Evaluators researcher Sanjana Sarda found concerning API vulnerabilities. These not only allowed her to bypass paying for Bumble Boost premium services, but she also was able to access personal information for the platform's entire user base of nearly 100 million.
Sarda said these issues were easy to find and that the company's response to her report on the flaws shows that Bumble needs to take testing and vulnerability disclosure more seriously. HackerOne, the platform that hosts Bumble's bug-bounty and reporting process, said that the romance service actually has a solid history of collaborating with ethical hackers.
[...] She reverse-engineered Bumble's API and found several endpoints that were processing actions without being checked by the server. That meant that the limits on premium services, like the total number of positive "right" swipes per day allowed (swiping right means you're interested in the potential match), were simply bypassed by using Bumble's web application rather than the mobile version.
[...] On a more lighthearted note, Sarda also said that during her testing, she was able to see whether someone had been identified by Bumble as "hot" or not, but found something very curious.
"[I] still have not found anyone Bumble thinks is hot," she said.
(Score: 2) by looorg on Tuesday November 17 2020, @05:15PM (3 children)
Auch! So it's a site of 100M ugly users? That or Bumble just have a very particular taste -- I guess the machine/algorithm is holding out for some Seven of Nine like clone to interface with. If anything why hasn't the algorithm been reversed to see what it considered to be hot or beautiful or whatever. Perhaps this Hot or Not function just isn't really used, or it's a per user generated value depending on their preferences.
(Score: 2) by Freeman on Tuesday November 17 2020, @05:24PM (2 children)
I'm guessing it's a per user kind of thing, at least that would make the most sense to me. Why would I care about your version of hot except as it applies to me? If I was using the site, I would care what my version of hot is. Or a mutual hotness factor, so I think you're hot and you think I'm hot, so let's get together kind of thing.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by RS3 on Tuesday November 17 2020, @05:53PM (1 child)
Maybe it's the number of right-swipes vs. left-swipes?
(Score: 1, Offtopic) by Freeman on Tuesday November 17 2020, @06:29PM
Beats me, I already had my girl, before most *all?* of the current online dating sites even existed. Certainly, before it became a common practice.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 0) by Anonymous Coward on Tuesday November 17 2020, @06:28PM (2 children)
With LEAs' grubby mits in practically every goddamn thing that exists in this universe, who in their right mind even attempts dating? 1984 is here, now.
(Score: 2) by Freeman on Tuesday November 17 2020, @06:32PM (1 child)
Everyone should just give up on dating? I am a bit confused as to what your stance is. We've got a ways to go yet, before science fiction levels of dystopia set in.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 3, Interesting) by PartTimeZombie on Tuesday November 17 2020, @10:37PM
The A/C is probably upset that girls laugh at conspiracy theories, and so he can't get a date.
In his mind that means that no-one should date.
(Score: 2, Funny) by Anonymous Coward on Tuesday November 17 2020, @08:59PM
In fact, this makes them a Humble Bumble.