The attacker is able to fake their own location, and then use the app’s API to determine the distance between themselves and other users.
Discription

This allows them to triangulate a user’s position with sufficient precision that they can be pinpointed on a map.

This attack was possible because:

Bumble did not validate the latitude/longitude values sent by clients when creating new chats — it only checked whether or not they were within an acceptable range of values (which in this case happened to include all latitudes). The client-side code also contained no checks for invalid locations, so any value could be used without causing an error
https://t.co/u5S1AGyX9L

Back to Main

Subscribe for the latest news: