LocationDumb: Phone tracker foul-up exposes world+dog to tracking

Securus wasted its money: the data was just sitting there

16 Reg comments Got Tips?

Updated The parade of bad privacy news this week has managed to get even worse, as one of the companies associated with the selling of phone locations for cash scandal was subject to a publicly exploitable bug.

Researcher Robert Xiao says LocationSmart was running a site riddled with vulnerabilities that could allow anyone to look up the location of virtually any mobile phone in the US. Xiao says he reported the bug to the company, who has since patched it on their site.

Xiao, currently at Carnegie Mellon University (he's set to become an assistant professor at the University of British Columbia this Fall), found that a demo feature the company offers on its site could be abused to look up the location of anyone without their knowledge.

LocationSmart was among the companies dragged into the public eye this week when it was named among the location-tracking sources used by Securus, a US telco accused of illegally giving tracking data to police. LocationSmart pitches its services for areas like opt-in marketing, company device management, and Internet of Things services.

To help sell its tracking services (for legitimate uses), LocationSmart allows users to perform a "demo" search by entering their own phone number, replying to an opt-in test, then seeing their own location.

Normally, the opt-in feature would protect user privacy by only letting a user track a phone they owned. Unfortunately, as Xiao found, simply editing one line of POST request sent to the site - and asking for the location as a .json instead of an XML snippet- bypasses the requirement for this check.

"Essentially, this requests the location data in JSON format, instead of the default XML format," Xiao explains.

"For some reason, this also suppresses the consent ('subscription') check."

Xiao also provided a proof of concept script to show how the (since patched) vulnerability could be exploited in the wild.

LocationSmart did not respond to a request for comment on the matter. ®

Updated to add

LocationSmart has confirmed it had learned of the issue through Xiao and had remedied it prior to the public disclosure. The company said that it did not believe anyone else had exploited the flaw to view user details.

"LocationSmart is continuing its efforts to verify that not a single subscriber’s location was accessed without their consent and that no other vulnerabilities exist," the company told The Register.

"LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process."

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Keep Reading

Australia sues Google over data collection practices that merged DoubleClick data to create single user profiles

Alleges opt-in that promised “more control” actually sent more data without informed consent. Google 'strongly disagrees'

White elephants in the mist: Google's upcoming Pixel 4A may ship without Soli motion recognition, per FCC filing

Stripping radar-based tech would cut price and allow phone's sale in markets where 60GHz spectrum is restricted

Privacy watchdogs from the UK, Australia team up, snap on gloves to probe AI-for-cops upstart Clearview

Investigation follows Canada's decision to give image-scraping biz the boot

Google Australia says government pulled pin on content-for-cash talks, hands in its homework anyway

And fires back with 'we do for free what meatspace distributors charge for' argument

Australia to force Google and Facebook to pay for news and reveal algorithm changes before they whack web traffic

And is willing to fine them hundreds of millions if they don't play nice

Sunday: Australia is shocked UK would consider tracking mobile data to beat pandemic. Monday: Australia to deploy drone intimidation squads

Updated Bloody poms are full of great ideas

Ooh, watch out Google. You've got competition. Verizon has a new 'privacy-focused' search engine

Yep, the Verizon that sold subscribers' location data

Apple and Google tweak key bits of contact-tracing privacy plan

As European nations back decentralised plan that leaves data on the device until users call in sick

Biting the hand that feeds IT © 1998–2020