Hugely popular family tracking app leaked locations in real time
In a major case of irony, an app designed to help parents see where their children are at any given moment for their protection could have allowed anyone to see where they were without needing access to a secure account.
According to TechCrunch, the Family Locator app designed by the Australian company React Apps was leaking the real-time locations of its nearly quarter of a million users for a number of weeks. Rather than it being stored in a secure server, the developers were storing the location information in an entirely unencrypted, easily accessible MongoDB server.
The discovery was made by security researcher Sanyam Jain, who is also a member of the non-profit GDI Foundation, that advocates for a safer and open internet. After reviewing the database, Jain found that each of the account records contained their personal information and a plaintext version of their passwords.
This also included records of the location of the account holders and their family members with a precision down to just a few metres, as well as named coordinates for geofenced areas setup by parents that would alert them if their child were to stray from a given location. All of this data, Jain said, was unencrypted and subsequent tests and correspondence with other users confirmed that their location was being uploaded to the open server within a matter of seconds.
This isn’t the first time that the locations of a product’s users have been exposed for anyone to see, as last year a researcher discovered a bug in the LocationSmart website that allowed tracking of millions of phones.