[New post] The attacker is able to fake their own location, and then use the app’s API to determine the distance between themselves and other users.

restapisecurity posted: "This allows them to triangulate a user's position with sufficient precision that they can be pinpointed on a map. This attack was possible because: Bumble did not validate the latitude/longitude values sent by clients when creating new chats — it only c" New post on API Security Blog The attacker is able to fake their own location, and then use the app's API to determine the distance between themselves and other users. by restapisecurity This allows them to triangulate a user's position with sufficient precision that they can be pinpointed on a map. This attack was possible because: Bumble did not validate the latitude/longitude values sent by clients when creating new chats — it only checked whether or not they were within an acceptable range of values (which in this case happened to include all latitudes). The client-side code also contained no checks for invalid locations, so any value could be used without causing an error https://t.co/u5S1AGyX9L restapisecurity | September 2, 2021 at 6:05 am | Categories: Uncategorized | URL: https://wp.me/pdg2Il-gH Like Unsubscribe to no longer receive posts from API Security Blog. Change your email settings at Manage Subscriptions. Trouble clicking? Copy and paste this URL into your browser: http://api-security.blog/2021/09/02/the-attacker-is-able-to-fake-their-own-location-and-then-use-the-apps-api-to-determine-the-distance-between-themselves-and-other-users/ Thanks for flying with WordPress.com