Updated The parade of bad privacy news this week has managed to get even worse, as one of the companies associated with the selling of phone locations for cash scandal was subject to a publicly exploitable bug.
Researcher Robert Xiao says LocationSmart was running a site riddled with vulnerabilities that could allow anyone to look up the location of virtually any mobile phone in the US. Xiao says he reported the bug to the company, who has since patched it on their site.
Xiao, currently at Carnegie Mellon University (he's set to become an assistant professor at the University of British Columbia this Fall), found that a demo feature the company offers on its site could be abused to look up the location of anyone without their knowledge.
LocationSmart was among the companies dragged into the public eye this week when it was named among the location-tracking sources used by Securus, a US telco accused of illegally giving tracking data to police. LocationSmart pitches its services for areas like opt-in marketing, company device management, and Internet of Things services.
To help sell its tracking services (for legitimate uses), LocationSmart allows users to perform a "demo" search by entering their own phone number, replying to an opt-in test, then seeing their own location.
Normally, the opt-in feature would protect user privacy by only letting a user track a phone they owned. Unfortunately, as Xiao found, simply editing one line of POST request sent to the site - and asking for the location as a .json instead of an XML snippet- bypasses the requirement for this check.
"Essentially, this requests the location data in JSON format, instead of the default XML format," Xiao explains.
"For some reason, this also suppresses the consent ('subscription') check."
Xiao also provided a proof of concept script to show how the (since patched) vulnerability could be exploited in the wild.
LocationSmart did not respond to a request for comment on the matter. ®
Updated to add
LocationSmart has confirmed it had learned of the issue through Xiao and had remedied it prior to the public disclosure. The company said that it did not believe anyone else had exploited the flaw to view user details.
"LocationSmart is continuing its efforts to verify that not a single subscriber’s location was accessed without their consent and that no other vulnerabilities exist," the company told The Register.
"LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process."