Location app leaves users running scared
As much as we feel that technology is making life simpler and more connected…which it is…there are some instances where technology is exposing us to several risks.
I recently read an article on techcrunch.com which pointed out how a basic risk can become a major problem.
The article pointed out that a popular family tracking app was leaking the real-time locations of more than 238 000 users for weeks after the developer left a server exposed without a password.
The app, Family Locator, built by Australia-based software house React Apps, allows families to track each other in real-time, such as spouses or parents wanting to know where their children are. It also lets users set up geofenced alerts to send a notification when a family member enters or leaves a certain location, such as school or work.
The article added that the backend MongoDB database was left unprotected and accessible by anyone who knew where to look.
Sanyam Jain, a security researcher and a member of the GDI Foundation, found the database and reported the findings to TechCrunch.
He told TechCrunch that, based on a review of the database, each account record contained:
- user names;
- email addresses;
- profile photo’s; and
- plaintext passwords.
The TechCrunch article pointed out that each account also kept a record of their own and other family members’ real-time locations correct to just a few feet. Any user who had a geofence set up also had those coordinates stored in the database, along with what the user called them.
None of the data was encrypted.
TechCrunch verified the contents of the database by downloading the app and signing up using a dummy email address. Within seconds, our real-time location appeared as precise coordinates in the database.
TechCrunch contacted one app user at random who, albeit surprised and startled by the findings, confirmed to TechCrunch that the coordinates found under their record were accurate. The Florida-based user, who did not want to be named, said that the database was the location of their business. The user also confirmed that a family member listed in the app was their child, a student at a nearby high school.
Several other records we reviewed also included the real-time locations of parents and their children.
TechCrunch spent a week trying to contact the developer, React Apps, to no avail.
The website had a privacy-enabled hidden WHOIS record, masking the owner’s email address. We even bought the company’s business records from the Australian Securities & Investments Commission, only to learn the company owner’s name — Sandip Mann Singh — but no contact information. We sent several messages through the company’s feedback form but received no acknowledgment.
On Friday, TechCrunch asked Microsoft, which hosted the database on its Azure cloud, to contact the developer. Hours later, the database was finally pulled offline.
It’s not known precisely how long the database was exposed for. Singh still hasn’t acknowledged the data leak.