bumble

Bumble and OkCupid Have a Flaw Putting User Data of Millions at Risk

Data security has been gaining prominence in recent years thanks to data activists and experts. As more and more people have started asking questions regarding their user data, companies have also started to become more stringent. User data becomes quite sensitive, especially when used to find suitable matches on popular dating websites and apps. A recent allegation regarding a significant flaw in apps such as OkCupid, Bumble, and Grindr have left millions worried about their personal data. Here’s a quick look at what the flaw is, how it can impact people, and what the experts are doing about it.

Bumble Putting User Data of Millions at Risk

Apps such as OkCupid, Grindr, Bumble, Yango Pro, PowerDirector, and several others are vulnerable to a flaw in the Play Core library. This defect puts the user data of millions of people at risk as per a report by Check Point. The research firm believes that though Google patched this flaw in April, app developers are yet to make the required changes. For the fix to work, the developers have to install the new Play Core library to neutralize the threat. However, all the apps mentioned above still make use of the old library, putting them at risk. Apps such as Booking and Viber were some of the few that updated their Play Core library and mitigated the risk.

bumble
Image Source: pcmag.com

What is the flaw?

The security experts at Check Point noted that Bumble, Grindr, and OkCupid are vulnerable to the CVE-2020-8913. While Google released a new patch in April, for the flaw rooted in the widely used Play Core library, failure to update the library leaves these apps at risk. The Play Core library is responsible for notifying users of in-app updates and feature modules for their phones. The CVE-2020-8913 allows threat actors to siphon off user data through these vulnerable apps. As a result, the flaw could lead to millions of people losing their private information. The leaked data will include critical information, including financial details, email passwords, and login credentials. The CVE-2020-8913 flaw allows hackers to add their executable modules to apps that use the Play Core library. Hence, arbitrary codes can be compromised to execute with malicious intent

Google’s Response

Google acknowledged that the bug was serious and gave it a severity rating of 8.8 out of 10. They responded quickly by releasing a patch that remedied the problem, way back in April. However, app developers have not been careful enough, and are yet to install the new update putting millions at risk of a data breach. Experts at Check Point note that over 13% of all Google Play apps they analyzed in September leveraged the Google Play Core library. Unfortunately, over 8% of these apps still used the vulnerable version, with only a few making the switch to the safer version. Even ones like Viber and Booking only updated after the experts at Check Point brought the matter to their attention.

Potential Danger

Aviran Hazum, who serves as the Manager of Research on Mobiles at Check Point, believes that hundreds of millions of users now face a security risk. Since CVE-2020-8913 is highly dangerous, the developers not installing the new patch is highly risky. In case any malicious application finds its way into this vulnerability, it can compromise several popular applications and gain the same access as the app. For instance, the vulnerability allows for the stealing of the two-factor authentication codes or even that of banking application credentials.

A threat actor could also manipulate social media apps to spy on others and grab messages from people, leading to a large number of attack possibilities. Hence, all users who have such apps on their phones are putting their data at risk. Experts are therefore recommending users to uninstall these apps until developers install the new patch and mitigate the risk of a breach. Since the security firm has notified the apps regarding the vulnerability, an update is expected son from their side. Following such an update, users can reinstall the apps and continue to use them as they did before.