Translate

Friday, May 18, 2018

Around 200 million people had their real-time location exposed by LocationSmart

A bug allowed you to track someone's location without obtaining their consent.

Earlier this week, it was reported that a company called LocationSmart partners with U.S. carriers to sell people's real-time location to all sorts of third parties. This news came as a rather unpleasant surprise on its own, but it's now been discovered that a bug on LocationSmart's website exposed the real-time location for around 200 million individuals.

According to ZDNet, LocationSmart used to feature a tool on its website that allowed you to try its tracking service before you bought it. With the consent of a friend or colleague, you could use LocationSmart's system to track their location for free. After entering your friend's number, they'd receive a text to confirm it was okay for their location to be tracked, and you'd be able to see where in the world they're at.

However, as noted by Robert Xiao, a Ph.D. student at Carnegie Mellon University —

Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location. The implication of this is that LocationSmart never required consent in the first place.

What sort of bug are we talking about? Per ZDNet

Xiao said one of the APIs used in the "try" page that allowed users to try the location feature out was not validating the consent response properly. Xiao said it was "trivially easy" to skip the part where the API sends the text message to the user to obtain their consent.

That "try" page has since been removed from LocationSmart's site, and according to a spokesperson from the company, "the vulnerability was not exploited prior to May 16, and did not result in any customer information being obtained without their permission."

Even so, this exploit potentially exposed the real-time location for around 200 million people in the United States and Canada and LocationSmart hasn't provided any evidence to back up its claim that no info was stolen.

All major U.S. carriers give your real-time location info to third parties



from Android Central - Android Forums, News, Reviews, Help and Android Wallpapers https://ift.tt/2Guox9T
via IFTTT

No comments:

Post a Comment