This is being published with the permission of Bumble under the responsible disclosure policy. The vulnerability detailed in this blog post was found through hackerone’s bug bounty program and was closed with the help of the Bumble security team
About Bumble: Bumble is a location-based social application that facilitates communication between interested users. Unlike its competition, Bumble adds some unique feature like ‘expiring matches’, ‘gender based chat initiation’ etc. to add to the authentic experience for the users. The app is available on both Android and Apple platforms.
There was a bug related to Bumble’s get_user API and the chat API which could enable an attacker to craft and send the first message to anyone in the beeline/match queue even from a male profile. Moreover, by crafting the specific codes, one could even get the exact details of the location, likes, interests*, etc. of the profiles in the beeline (that is, those profiles who have liked you but haven’t yet come in your deck to either left or right swipe).
Bumble’s USP is that only the female matches are allowed to initiate a conversation. It ensures this at its backend by checking some flags for its value namely the is_match parameter and the unique_id parameter
The message feature has to be enabled only when the following criteria matches:
- is_match flag should be set to True
- An unencrypted unique_id parameter is passed to the chat API through the instance_id parameter
I did an IDOR (Insecure Direct Object Reference) attack to craft a chat message which could bypass the above check.
Whenever a profile is loaded, the SERVER_GET_USER_LIST API is called. This API queries the database for the profiles to be loaded through a specific ‘projection’ codes and ‘folder reference’ codes. So for example, the projection code 630 would give what you and the other person have voted each-other (Vote code – 2 means right swipe, 3 is left swipe and 1 means that your profile has not yet been visited by the person. Similarly you may use this criteria to if the deck that has loaded for you contains any profile who has right swiped you)
Steps to reproduce:
- Login to your Bumble profile
- In the SERVER_GET_USER_LIST API replace the folder ID 0 with 7. This folder contains all the profiles in your deck /which you have right-swiped on (picture 1); (Through this, we may choose to again swipe left on them if desired).
- Intercept the above response through repeater. The unique user ID of the profile is shown in plain text. This is as opposed to the other places where all the user_IDs are encrypted
- Adding additional parameters to the projection field also gives us information like the user vote, etc. We can even increase the ‘count’ to get details of more profiles. Playing with both the ‘projection code’ and ‘count’ one can get more details of the profile/beeline like the place, likes, dislikes, and interests*, even before it gets matched.
- With the unique user_ID open any chat instance (you may do this by clicking on any of you chat boxes)
- The SERVER_OPEN_CHAT API has two fields of interest- the chat_instance_id and the message text.
- Paste the unique_id in the chat_instance_id field and type the message as desired in the message text.
- Through this, one could essentially send messages to any one whose unique ID is known
I reported this bug to Bumble at hackerone.com. The team actively worked on it , triaged the bug, and closed it. They also awarded me a bounty deeming this as a vulnerability 🙂
(*interests of the beeline will only be shown if the person has linked his/her facebook profile)