Introduction Of Bumble

In a startling revelation, a team of researchers from KU Leuven, a prominent Belgian university, discovered significant vulnerabilities in the design of several popular dating apps, including Bumble and Hinge. These vulnerabilities allowed malicious users or stalkers to pinpoint the exact location of their victims with remarkable precision, down to just 2 meters. The findings, detailed in a recent academic paper, raise critical concerns about user privacy and security on dating platforms.

Research Findings

The study analyzed 15 widely-used dating apps, identifying Badoo, Bumble, Grindr, happn, Hinge, and Hily as having the same critical vulnerability. This flaw could enable a malicious actor to determine the near-exact location of another user. Although these apps do not share exact locations publicly, they utilize precise coordinates for their “filters” feature, which users employ to search for potential matches based on various criteria, including distance.

Oracle Trilateration Technique

The researchers employed a novel technique they termed “oracle trilateration” to exploit these vulnerabilities. Traditional trilateration, like that used in GPS, involves using three known points to determine a target’s location by measuring distances. Oracle trilateration modifies this approach, starting with a rough estimate of the victim’s location based on the profile information. The attacker then incrementally moves until the target is no longer within proximity, repeating this in three different directions. This method allows the attacker to obtain three positions with known exact distances, enabling them to triangulate the victim’s precise location.

Implications and Responses

Karel Dhondt, one of the researchers, expressed surprise at finding such vulnerabilities in popular apps, noting that while the technique does not reveal exact GPS coordinates, pinpointing a user within 2 meters is sufficiently precise for stalking purposes.

Remedial Measures

Fortunately, all the affected apps have since addressed these issues. They have altered how distance filters work, rendering them immune to the oracle trilateration technique. The primary fix involved rounding up the exact coordinates by three decimals, creating an uncertainty of approximately one kilometer.

A Bumble spokesperson confirmed that the company became aware of the findings in early 2023 and promptly resolved the issues. Dmytro Kononov, CTO and co-founder of Hily, noted that although their internal mechanisms made practical exploitation of the vulnerability unlikely, they collaborated with the researchers to develop new geocoding algorithms to eliminate the risk completely.

Happn CEO Karima Ben Abdelmalek highlighted that their platform includes additional protection measures not considered in the researchers’ analysis, making the trilateration technique ineffective on their app.

Grindr’s Unique Position

Grindr, another popular dating app, was also found to have a location vulnerability, though less precise at around 111 meters. While still potentially dangerous, this precision is not as alarming as the 2 meters found in other apps. Grindr rounds users’ locations by three decimals, a feature designed to protect user privacy while maintaining the app’s core functionality.

Kelly Peterson Miranda, Chief Privacy Officer at Grindr, emphasized the importance of proximity for user interaction within the LGBTQ+ community. She also noted that users could disable location information display if desired.

Conclusion

The KU Leuven researchers’ findings underscore the critical importance of robust privacy and security measures in dating apps. While the vulnerabilities have been addressed, the incident highlights the need for continuous vigilance and improvement in protecting user data. As dating apps continue to evolve and integrate more sophisticated features, ensuring user safety must remain a top priority for developers and platform operators alike.

ALSO READ THIS BLOG