Introduction

In messaging apps, privacy expectations are everything. Some users want the read notification, others prefer ambiguity. Bumble chose the latter — messages show delivered but never read preserving a sense of privacy.

But what if the app lied?

Security researcher @ndrong discovered that Bumble’s backend API quietly betrayed this promise, exposing read status of messages even when the frontend never showed them. The flaw earned a $600 bounty and highlights the subtle power of backend APIs — and the risks of mismatched client-server behavior.

On Bumble’s mobile app, messages show whether they were delivered — but crucially not whether they were read. The same goes for the web app, which provides an even more stripped-down experience.

This design choice implies user privacy: your matches won’t know if you’ve read their messages — so no pressure, right?