When you have too much time on your hands and want to dump out Bumble’s entire user base and bypass paying for premium Bumble Boost features.
As part of ISE Labs’ research into popular dating apps (see more here), we looked at Bumble’s web application and API. Continue reading as we will demonstrate how an attacker can bypass paying for access to some of Bumble Boost’s premium features. If that doesn’t seem interesting enough, learn how an attacker can dump Bumble’s entire user-base with basic user information and pictures even if the attacker is an unverified user with a locked account. Spoiler alert — ghosting is definitely a thing.
Updates — As of November 1, 2020, all the attacks mentioned in this blog still worked. When retesting for the following issues on November 11, 2020, certain issues had been partially mitigated. Bumble is no longer using sequential user ids and has updated its previous encryption scheme. This means that an attacker cannot dump Bumble’s entire user base anymore using the attack as described here. The API request does not provide distance in miles anymore — so tracking location via triangulation is no longer a possibility using this endpoint’s data response. An attacker can still use the endpoint to obtain information such as Facebook likes, pictures, and other profile information such as dating interests. This still works for an unvalidated, locked-out user, so an attacker can make unlimited fake accounts to dump user data. However, attackers can only do this for encrypted ids that they already have (which are made available for people near you). It is likely that Bumble will fix this too within the next few days. The attacks on bypassing payment for Bumble’s other premium features still work.
Developers use REST APIs to dictate how different parts of an application communicate with each other and can be configured to allow client-side applications to access data from internal servers and perform actions. For example, operations such as swiping on users, paying for premium features, and accessing user photos, occur via requests to Bumble’s API.
Since REST calls are stateless, it is important for each endpoint to check whether the request issuer is authorized to perform a given action. Additionally, even if client-side applications don’t normally send dangerous requests, attackers can automate and manipulate API calls to perform unintended actions and retrieve unauthorized data. This explains some of the potential flaws with Bumble’s API involving excessive data exposure and a lack of rate-limiting.
Since Bumble’s API is not publicly documented, we must reverse engineer their API calls to understand how the system treats user data and client-side requests, especially since our end goal is to trigger unintentional data leakage.
Normally, the first step would be to intercept the HTTP requests sent from the Bumble mobile app. However, since Bumble has a web application and shares the same API scheme as the mobile app, we’re going to take the easy route and intercept all incoming and outgoing requests through Burp Suite.
Bumble “Boost” premium services cost $9.99 per week. We will be focusing on finding workarounds for the following Boost features:
Unlimited Votes
Backtrack
Beeline
Unlimited Advanced Filtering — except we are also curious about ALL of Bumble’s active users, their interests, the kind of people they are interested in, and whether we can potentially triangulate their locations.
Bumble’s mobile app has a limit on the number of right swipes (votes) you can use during the day. Once users hit their daily swipe limit (approximately 100 right swipes), they have to wait 24 hours for their swipes to reset and to be shown new potential matches. Votes are processed using the following request through the SERVER_ENCOUNTERS_VOTE user action where if:
“vote”: 1 — The user has not voted.
“vote”: 2 — The user has swiped right on the user with the person_id
“vote”: 3 — The user has swiped left on the user with the person_id
On further examination, the only check on the swipe limit is through the mobile front-end which means that there is no check on the actual API request. As there is no check on the web application front-end, using the web application instead of the mobile app implies that users won’t ever run out of swipes. This peculiar frontend access control method introduces the other Bumble issues in this blog — several API endpoints are processed unchecked by the server.
Accidentally swiped left on someone? This is no longer an issue and you definitely don’t need Backtrack to undo your left swipe. Why? The SERVER_ENCOUNTERS_VOTE user action does not check if you have previously voted on someone. This means that if you send the API voting request directly, changing the “vote”: 3 parameter to “vote”: 2 you can “swipe right” on the user of your choice. This also means that users don’t have to worry about missed connections from 6 months ago because the API logic does not perform any sort of time check.
The Beeline is one of the main features of Bumble Boost as it allows users to view all the people who have swiped right on them.
When we studied the network traffic using the Developer Console, we found a SERVER_GET_ENCOUNTERS endpoint that displays all the users in our potential match feed. What’s interesting to note though, is that it also displays their vote and we can use this to differentiate between users who haven’t voted versus users who have swiped right.
The only problem with this method of finding admirers is that if the developers decide to fix this automatic voting disclosure, we will be lost and lonely. Our next step is to try to figure out how the endpoint has the vote value in its response so that we can recreate this behavior for other requests. Hopefully, we will be able to do this by studying the original request below.
The most interesting thing about this request is the various numbers in the user_field_filter projection field. Now, our goal is to figure out what these numbers really mean.
Even before we started intercepting Bumble’s requests, we discovered a bumble-service-worker.js file while exploring the web application using the Developer Console.
Service workers are event-driven JavaScript worker files that control the site they are associated with and control how network requests are handled. These files are also responsible for background syncs.
On exploring this file we found several interesting key pairs such as those for User Fields (shown below — yellow highlights show explore-worthy fields), User Actions, Error Codes, and Feature Type Permissions.
Okay, but what if you are super determined to only use the mobile app? We can use dex2jar to extract smali classes and other files from the Bumble APK and grep for similar information. For example, we used grep -i -r “USER_FIELD” to find the location of all the User Fields and their constant values. The following image shows the constant for USER_FIELD_IS_HOT (0x104) which is the hex for 260.
Now that we know that the code for “their_vote” is 560 and “my_vote” is 550, we can force the request for the SERVER_GET_USER endpoint that retrieves user data to include this information for a specific user (this method can also potentially be used for other endpoints).
The last Boost feature that we will be “emulating” is the ability to find users using unlimited additional filters. However, we shall do this by enumerating Bumble’s users all around the world (except users with deleted accounts), using the SERVER_GET_USER endpoint with additional user fields, and separating this information in a spreadsheet. We can then filter for the features we are looking for via the following script which you can use, for example, to find all the users within 10 miles of your current location.
Disclaimer — please don’t use this script to do nefarious things, it has been made strictly for educational purposes and as a proof of concept.
The album field consists of all pictures uploaded to the app by a user (370). If an account is connected to Facebook, you can retrieve all of their “interests” or pages they have liked (420).
The “wish” field tells you what they are doing on the app and the exact kind of people they are looking for (360).
The “profile” fields provide information such as their descriptions, education, height, smoking and drinking preferences, voting status, political preference, religious beliefs, and zodiac (this information is technically already displayed by the application)(490).
Other interesting information is if they have the “mobile application installed” (680), if they are “hot” (260 )(still have not found anyone who Bumble thinks is hot), if they are “online” (330), and their “distance in miles” if they are from the same city (530)(since attackers can easily spoof their location, triangulation is definitely a possibility). Something to note, the request requires a User-Agent header for the short distance in miles to show up. For a better idea of the information you can retrieve, here is a sample user response.
Our accounts eventually got locked and hidden for more verification requirements. We tested retrieving user data while our account was locked, and it still worked. So even though other endpoints such as SERVER_ENCOUNTERS_VOTE check for locked users, the SERVER_GET_USER endpoint does not.
This script works as Bumble has not enabled rate limiting on their API and instead of only using the encrypted_user_ids, Bumble allows users to be accessed by their actual user_ids which are sequential (approximately 0 to 2,000,000,000).
Most of the issues in this blog stem from Bumble not verifying requests server-side. Due to this, advanced users can bypass Bumble’s main premium features easily through the web application, and attackers can collect detailed information about Bumble users.
March 30, 2020: ISE’s initial contact disclosing vulnerabilities on HackerOne
March 31, 2020: Report triaged on HackerOne
June 16, 2020: ISE’s second contact sent via HackerOne asking for Updates — No response.
July 9, 2020: ISE’s third contact mentioning our public disclosure plan sent to Bumble’s feedback email — No response.
July 10, 2020: ISE’s fourth contact sent to Bumble’s partnership form — No response.
November 12, 2020: Report resolved on HackerOne.
Bumble has not responded to any of ISE’s direct contact attempts.
User Information Disclosure in Dating AppsExtracting user data from mobile apps to craft exploits.blog.securityevaluators.com
Sanjana Sarda is a Junior Security Analyst at Independent Security Evaluators, a firm of security specialists that provide a wide range of services including custom security assessments and software development. ISE also runs IoT Village, which hosts talks by expert security researchers who dissect real-world exploits and hacking contests consisting of off-the-shelf IoT devices.
There's many reasons why someone might want to reverse engineer an API. This collection demonstrates a variety of scenarios that might be useful in gaining a deeper understanding of an API, whether it's a private or public API.
Once you hit your daily swipe limit, you will have to wait 24 hours for your swipes to reset (e.g. if you hit the limit at 8 pm your swipes will refresh at 8 pm the next day). If you would like to continue swiping, you can get unlimited votes with a Bumble Boost or Bumble Premium subscription.
In his tests, Heaton found that Bumble was actually "rounding down" or "flooring" its distances which meant that a distance of, for instance, 3.99999 miles would actually be displayed as approximately 3 miles rather than 4 - but that didn't stop his methodology from successfully determining a user's location after a ...
Reverse engineering is generally legal. In trade secret law, similar to independent developing, reverse engineering is considered an allowed method to discover a trade secret. However, in patent law, because the patent owner has exclusive rights to use, own or develop the patent, reverse engineering is not a defense.
Can I avoid photo verification on Bumble? It is not possible to bypass or trick Bumble's verification process. Photo verification exists so you can't catfish or trick other users into thinking you're someone else.
Overall, Hinge is better than Bumble for most guys.
Hinge's match-before-you-message format encourages communication, and while you can only like a limited number of women each day at least you can send them a message right away.
Bumble is better than Tinder if you're looking for a serious relationship. The matches are of higher quality overall, and many of the women you'll find on the app are “meet-the-parents-ready” marriage material. Bumble was started by one of Tinder's founders who wanted to create a more “women-friendly” app.
The Tinder API endpoint is located at api.gotinder.com. You can find the Tinder API portal / hompage here. For more information, check out their API Documentation. The Tinder API is not currently available on the RapidAPI marketplace.
Popular dating apps can be exploited to reveal the messages you've sent, your location and the profiles you've viewed, a report has revealed. Tinder, Bumble and OkCupid are among the apps vulnerable to hacking, researchers from Russian security firm Kaspersky Lab found.
To put it simply, no, Bumble doesn't have read receipts for its messages. This means that the other user won't be able to tell if you've read their message or not, and the same goes for you as well. Unlike other apps, it also doesn't inform the other user if you take a screenshot of the chat.
Bumble shows you people in or very close to your location. Once you've swiped through all of the people in your area, Bumble will automatically find other users in places nearby. We don't want you to run out of people to swipe on!
Always - Your location will update when the Bumble app is open and when it's running in the background. If you don't want your location to be updated while the app is not open, you can force close the app. Please note, if you choose never, you will not be able to make any new matches.
The last time you used your phone is very close to where your Bumble is now active. Sometimes the phone may read wrong on the GPS lock. The location may be false. The wrong location can be caused by using a location spoofer.
Doing this allows you to gain a deeper understanding of an API. Reverse engineering, also called back engineering, is the process by which a man-made object is deconstructed to reveal its designs, architecture, or to extract knowledge from the object.
Decompiling is both illegal and wrong, unless it's your own work. You can learn what you need on Google, or find open-source stuff using it and learn from that. It's illegal to decompile ANYTHING without permission.
Reverse engineering in itself is a broad task - the difficulty highly depends on the product. The only common is that successfully reverse engineering a product typically requires domain knowledge. Whether it be manufacturing, a process, software, or other.
New court cases reveal that reverse engineering practices which are used to achieve interoperability with an independantly created computer program, are legal and ethical.
All photos are reviewed by a real person on Bumble's team! In a few minutes, you'll receive a confirmation or rejection of your verification. If a user has been reported as a potential fake profile and is rejected in verification, their profile will be turned off.
Whatever the reason, catfishing is completely against Bumble's values, and we're always working to remove fake profiles from the app. Anyone found to have uploaded a fake profile or attempted to scam a Bumble member will be banned from our community.
Why have I been asked to verify my profile? From time to time, we require users to verify themselves. Typically, we do this to ensure that an account is not fake or operated by a robot, or if we have a suspicion that the user may be under 18 years of age.
Yes and no. Tinder-initiated hookups are quite common, but the notion that Tinder is primarily about hookups is overstated. Tinder users are more likely to be seeking relationships than casual sex. Moreover, dating and sex are not the main reasons that many people are using Tinder.
Bumble is the most popular dating app in the U.S., at least for paying users. The service which makes women initiate the conversation has been making strides and has overtaken Tinder as the most-popular dating app for paying users in the U.S., according to the Statista Global Consumer Survey.
Distancing itself from casual hookups, Hinge now identifies as the go-to “relationship app,” targeting “people who are looking for meaningful connections.” New Hinge profiles include photos, basic information, and tidbits about users' personalities and interests.
People who use Tinder to find casual sex or longlasting love could be barking up the wrong tree. Scientists have claimed that the dating app is a 'waste of time' for most people. They found that men and women who found it easy to have one-night-stands in the real world were also able to use Tinder to arrange hook-ups.
Hinge is a dating app available on iOS and Android. Using Hinge, people are able to meet others through connections with their friends. Hinge is also an Uber API partner, allowing users to quickly...
RESTful API is an interface that two computer systems use to exchange information securely over the internet. Most business applications have to communicate with other internal and third-party applications to perform various tasks.
We created Extend for all our busy bees out there who may need just a little more time to get a connection off the ground. When you use Extend you add an additional 24 hours to the countdown timer in our Date and BFF modes.
Tinder's algorithm uses your profile to match you with other people, so the more detail about yourself and what you're looking for in a partner, the better! Be sure to include only super-expressive photos. Some that bring something to the table. Try not to go overboard on tinder bio.
Bumble identified peak usage as between 6 p.m. and 10 p.m. on any given day. Add a badge (like your Zodiac sign or your exercise habit) — it increases your chance of matching by 70 percent. Share what dates you're comfortable with during this time.
In same-sex matches, either person is encouraged to make the first move within 24 hours. The other person has 24 hours to respond, or the connection expires. We understand that our users are busy and may not always be able to get to a new match within 24 hours.
To reset Bumble properly, you need to delete your account before you remove the app. To be relatively sure Bumble won't identify your old account with your new one, wait at least 24 hours to download Bumble again and set up your new account.
The best way to be sure is to look at his downloaded apps.
If you have a spare moment with his phone, search through his apps for sites like Bumble, Tinder, Match, or Hinge. If you find any of these on his phone, it means he's most likely been using them (or at least hasn't deleted them yet).
“There isn't a function on the app that lets others know if someone is currently live on the app,” the Bumble representative said. “However, you can be certain that anyone you see on Bumble has been active in the last 30 days.
In his tests, Heaton found that Bumble was actually "rounding down" or "flooring" its distances which meant that a distance of, for instance, 3.99999 miles would actually be displayed as approximately 3 miles rather than 4 - but that didn't stop his methodology from successfully determining a user's location after a ...
Reverse engineering, also called back engineering, is the process by which a man-made object is deconstructed to reveal its designs, architecture, or to extract knowledge from the object. Knowing how an API actually behaves enables you to identify flaws and security vulnerabilities like accidental data leakage.
step 1: look in developer tools for a promising JSON response. I start out by going to https://hangouts.google.com, opening the network tab in Firefox developer tools and looking for JSON responses. ...
Once you have deployed a private API, you can access it via private DNS (if you've enabled private DNS naming) and via public DNS. To get the DNS names for your private API, do the following: Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/ .
Introduction: My name is Mrs. Angelic Larkin, I am a cute, charming, funny, determined, inexpensive, joyous, cheerful person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.