A TripBFF API flaw exposed precise user locations and birthdays, allowing anyone to track travelers across the globe and creating major mobile privacy risks.

InfoSecWriteUps' platform is  dedicated to providing insights and resources for cybersecurity professionals and enthusiasts. Through articles, tutorials, and security research, InfoSecWriteUps offers insights into cybersecurity vulnerabilities, attack techniques, and defense strategies. Readers can learn about penetration testing, threat intelligence, and incident response to enhance their cybersecurity knowledge and skills.

InfoSec Write-ups

Security researcher Jonathan Leitschuh discovered critical privacy vulnerabilities in TripBFF, a travel app with 1M+ downloads. The app exposed exact latitude/longitude coordinates and full birthdates for all users through unauthenticated APIs. By manipulating API requests, researchers could enumerate users globally without physically moving, and non-premium users could bypass payment restrictions. The "Hide my nearby distance" privacy feature failed to protect location data. TripBFF responded quickly with server-side fixes including coordinate jittering (1km grid ±400m) and birthday obfuscation, though some promised client-side improvements remain unimplemented. The incident highlights the importance of professional security testing for location-based applications.

Digital Travel App TripBFF Exposed Location Data Way Too Accurately

Get Jonathan Leitschuh’s stories in your inbox