A researcher discovered a bug in the LocationSmart website that allowed tracking of millions of phones.
According to a new report from ZDNet, LocationSmart, a service that pinpoints the locations of phones connected to major US networks such as AT&T, Sprint, T-Mobile and Verizon, was found to have a bug that allowed the tracking of millions of phones.
The site was designed to require a user to opt in through their phone before disclosing their location, but an apparent error in an API it used made it possible for anyone to get anyone else’s geographic coordinates without their consent, simply by asking for the data in a particular format.
The bug was first spotted by Robert Xiao, a Carnegie Mellon University researcher. “That’s all,” he wrote. “The entire consent process is bypassed and you have the phone’s location.”
Xiao said his tests showed he could reliably query LocationSmart’s service to ping the cell phone tower closest to a subscriber’s mobile device. Xiao said he checked the mobile number of a friend several times over a few minutes while that friend was moving. By pinging the friend’s mobile network multiple times over several minutes, he was then able to plug the coordinates into Google Maps and track the friend’s directional movement.
“This is really creepy stuff,” Xiao said, adding that he’d also successfully tested the vulnerable service against one Telus Mobility mobile customer in Canada who volunteered to be found.
LocationSmart Founder and CEO Mario Proietti said, “We don’t give away data. We make it available for legitimate and authorized purposes. It’s based on legitimate and authorized use of location data that only takes place on consent. We take privacy seriously and we’ll review all facts and look into them.”
