A cell phone tracking service called LocationSmart has been reportedly leaking real-time location data on millions of mobile phone customers across North America.
Exploiting a bug in its website, anyone could track the location of US cell phone users without obtaining their consent. This bug was spotted by Robert Xiao, a Carnegie Mellon University researcher, in a free trial feature of the website.
LocationSmart provided a free of cost demo service which allowed anyone to see the approximate location of a mobile phone. The site was designed to ask for users’ consent through their cellphone before passing on location data.
So, under normal circumstances, users would receive an opt-in consent through an automated text message or phone call. But a flaw in an API that powers the website made it possible to bypass the consent process and just about anyone could obtain real-time location data of any user.
Xiao explained that he requested a phone number’s location in JSON format, instead of the XML format (default). “For some reason, this also suppresses the consent (“subscription”) check,” writes Xiao in a blog post. So, in return, he received a page with the phone’s latitude and longitude.
LocationSmart claims to have direct connections to at least four largest US cell carriers – Verizon, AT&T, T-Mobile, and Sprint. So approximately 200 million users have been exposed to this vulnerability.
Since the data was collected through cell carriers, it worked regardless of phone operating system or privacy settings on the device itself. Hence there are no means of escaping such tracking activities.
Even though LocationSmart’s demo page been taken down and the flaw has been patched but incidents like these reflect the lax attitude of companies towards user privacy and security.