Reverse Engineering REST APIsĭevelopers use REST APIs to dictate how different parts of an application communicate with each other and can be configured to allow client-side applications to access data from internal servers and perform actions. The attacks on bypassing payment for Bumble’s other premium features still work. It is likely that Bumble will fix this too within the next few days. However, attackers can only do this for encrypted ids that they already have (which are made available for people near you). This still works for an unvalidated, locked-out user, so an attacker can make unlimited fake accounts to dump user data. An attacker can still use the endpoint to obtain information such as Facebook likes, pictures, and other profile information such as dating interests. The API request does not provide distance in miles anymore - so tracking location via triangulation is no longer a possibility using this endpoint’s data response. This means that an attacker cannot dump Bumble’s entire user base anymore using the attack as described here. Bumble is no longer using sequential user ids and has updated its previous encryption scheme. When retesting for the following issues on November 11, 2020, certain issues had been partially mitigated. Updates - As of November 1, 2020, all the attacks mentioned in this blog still worked. Spoiler alert - ghosting is definitely a thing. If that doesn’t seem interesting enough, learn how an attacker can dump Bumble’s entire user-base with basic user information and pictures even if the attacker is an unverified user with a locked account. Continue reading as we will demonstrate how an attacker can bypass paying for access to some of Bumble Boost’s premium features. As part of ISE Labs’ research into popular dating apps (see more here), we looked at Bumble’s web application and API.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |