Oh no! It’s starting to feel like everyone’s in charge of our sensitive data that might be incompetent. Now, according to a security site, tracking firm LocationSmart leaked real-time location data on its own website.
All of which has been discovered recently by a science student at Carnegie Mellon, Robert Xiao has found that a vulnerability in LocationSmart’s website made the real-time location of millions of phones readily available to anyone with the knowhow.
LocationSmart provides real-time data on the location of subscribers’ mobile phones. It’s a” opt-in, but it reported that anyone could access this information for any AT&T, Sprint, T-Mobile and Verizon phones on the company’s website without a password or any other form of authentication.
For background, this website collects location data of mobile customers from major carriers in the United States, and then it sells it to other companies for a range of purposes, including compliance, cybersecurity, and proximity marketing. Up until the vulnerability was discovered, LocationSmart offered a trial webpage that allowed anyone to enter their phone number, confirm the request via SMS or a phone call and view their approximate real-time location.
The vulnerability has been taken offline, though, by a big mistake, LocationSmart customers gave their consent to have the company track their phone’s location, which they likely did not want anyone to know that information.
The error was initially found by the student, a Ph.D. candidate at Carnegie Mellon University, saying “I stumbled upon this almost by accident, and it wasn’t terribly hard to do,” he said. “This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples’ cell phone without their consent.”
The issue, as Xiao discovered was that the webpage had a bug that allowed anyone with the technical skills to bypass the phone number verification process and view the entire information, real-time location of any subscriber to most major carriers in the U.S., in addition to Bell, Rogers, and Telus in Canada.
In a blog post, he said the bug essentially involves requesting the location data in JSON format, instead of the default XML format:
If you make the same request with requesttype=locreq.json, you get the full location data, without receiving consent. This is the heart of the bug. Essentially, this requests the location data in JSON format, instead of the default XML format. For some reason, this also suppresses the consent (“subscription”) check.
Xiao immediately contacted the US-CERT to coordinate disclosure upon discovering the vulnerability, and also shared details with Brain Kerbs, who published a story with further details on his blog Kerbs on Security.
LocationSmart plotted the coordinates on a Google Street View map. It’s not clear exactly how long LocationSmart has offered its trial service or how long it has been vulnerable. By using a private service called Securus, which obtained data from LocationSmart, to track people’s phones without court orders was charged.
Those headlines are what prompted Xiao to poke around LocationSmart’s web site and ultimately discover this vulnerability. Now that the webpage has been taken down, it’s unclear what steps will be taken next if any. At least one U.S. senator has urged the FCC to enforce stricter privacy laws on carriers.
Update x1: A bug in cell phone tracking firm’s website leaked millions on Americans’ real-time locations. The FCC’s Enforcement Bureau has confirmed it will investigate LocationSmart, as per CNET.