LocationSmart Has Been Leaking Customer Location Data to Anyone

LocationSmart Has Been Leaking Customer Location Data to Anyone

LocationSmart Has Been Leaking Customer Location Data to Anyone

Due to some shoddy programming, a USA company that hoards cell phone data accidentally gave anyone the disturbing power to do this.

LocationSmart, as the service is known, identifies the locations of phones connected to AT&T, Sprint, T-Mobile, or Verizon, often to an accuracy of a few hundred yards, reporter Brian Krebs said. The company, named LocationSmart, was dealing with real-time security.

However, LocationSmart appears to have been careless with that data.

A little-known service has been leaking the real-time locations of USA cell phone users to anyone who takes the time to exploit an easily spotted bug in a free trial feature, security news site KrebsOnSecurity reported Thursday. A bug on the website of phone tracking service LocationSmart allowed anyone to see the real-time location of United States cell phone users, and without their consent. It showed how a simple changes to the Web requests that made the demo worked were able to bypass the requirement a location be queried only after a phone user approved. He was digging around the demo and noticed a flaw in the system's API that can let you make cell phone location searches without obtaining the owner's consent. The vulnerability has been taken offline, said Krebs, but man what a mistake. The LocationSmart bug essentially opened this tool up to anybody, the Carnegie Mellon researcher said. The remaining three sources said the location returned for their phones was between approximately one-fifth to one-third of a mile at the time.

Xiao was investigating the company on news that it's been supplying location data to a little-known prison technology firm called Securus Technologies.

He had tricked LocationSmart's website because the page was not properly verifying that a person received the required consent.

Xiao said the error might have exposed around 200 million cell phone users in the USA and Canada. But their practices are raising serious questions over why United States wireless carriers are handing so much private data to third-party companies, when no controls appear to be in place.

Krebs contacted all four of the major United States mobile carriers, and all declined to confirm or deny a formal business relationship with LocationSmart, despite LocationSmart displaying the carriers' corporate logos on its website. Other than that, the companies referred Krebs to their privacy policies, which all prevent the sharing of location information without customer consent or a demand from law enforcement.

Notícias recomendadas

We are pleased to provide this opportunity to share information, experiences and observations about what's in the news.
Some of the comments may be reprinted elsewhere in the site or in the newspaper.
Thank you for taking the time to offer your thoughts.