Bumble Left Daters’ Location Data Up For Grabs For Over Six Months

Bumble Left Daters’ Location Data Up For Grabs For Over Six Months
Photo: Eric Baradat, Getty Images

Bumble, the dating app behemoth that’s allegedly headed to a major IPO as soon as next year, apparently took over half a year to deal with major security flaws that left sensitive information its millions of users vulnerable.

That’s according to new research posted over the weekend by cybersecurity firm Independent Security Evaluators (ISE) detailing how a bad actor — even one that was banned from Bumble — could exploit a vulnerability in the app’s underlying code to pull the rough location data for any Bumbler within their city, as well as additional profile data like photos and religious views. Despite being informed about this vulnerability in mid-March, the company didn’t patch the issues until November 12 — roughly six and a half months later.

Pre-patch, anyone with a Bumble account could query the app’s API in order to figure out roughly how many miles away any other user in their city happened to be. As the blog’s author, Sanjana Sarda, explained, if a certain creepy someone really wanted to figure out the location of a given Bumble user, it wouldn’t be too hard to set up a handful of accounts, figure out the user’s basic distance from each one, and use that collection of data to triangulate a Bumbler’s precise location.

Bumble isn’t the first company to accidentally leave this sort of data freely available. Last year, cybersecurity sleuths were able to create to glean precise locations of people using LGBT-centric dating apps like Grindr and Romeo and collate them into a user location map. And those location-data leaks are on top of the deliberate data sharing these sorts of dating apps typically already engage in with a bevy third-party partners. You would think that an app purporting to be a feminist haven like Bumble might extend its idea of user safety to its data practices.

While some of the issues described by Sarda have been resolved, the belated patch apparently didn’t tackle one of the other major API-based issues described in the blog, which allowed ISE to get unlimited swipes (or “votes” in Bumble parlance), along with access to other premium features like the ability to unswipe or to see who might have swiped right on them. Typically, accessing these features cost a given Bumbler roughly $14 dollars per week.

We’ve reached out to Bumble for comment and will update if we hear back.