The attacker is able to fake their own location, and then use the apps API to determine the distance between themselves and other users.
Discription
This allows them to triangulate a users position with sufficient precision that they can be pinpointed on a map.
This attack was possible because:
Bumble did not validate the latitude/longitude values sent by clients when creating new chats it only checked whether or not they were within an acceptable range of values (which in this case happened to include all latitudes). The client-side code also contained no checks for invalid locations, so any value could be used without causing an error
https://t.co/u5S1AGyX9L
References
Back to Main