Digital Travel App TripBFF Exposed Location Data Way Too Accurately
This title could be clearer and more informative.Try out Clickbait Shieldfor free (5 uses left this month).
Security researcher Jonathan Leitschuh discovered critical privacy vulnerabilities in TripBFF, a travel app with 1M+ downloads. The app exposed exact latitude/longitude coordinates and full birthdates for all users through unauthenticated APIs. By manipulating API requests, researchers could enumerate users globally without physically moving, and non-premium users could bypass payment restrictions. The "Hide my nearby distance" privacy feature failed to protect location data. TripBFF responded quickly with server-side fixes including coordinate jittering (1km grid ±400m) and birthday obfuscation, though some promised client-side improvements remain unimplemented. The incident highlights the importance of professional security testing for location-based applications.
Table of contents
Enter Adam Baldwin (aka. EvilPacket)Hacking TripBFFFindingsGet Jonathan Leitschuh’s stories in your inboxProposed FixesResponse by the TripBFF TeamAreas for Further ExplorationConclusionSort: