Tracking firm's website bug leaked location of almost all US cell phones

midian182

midian182

Posts: 9,741   +121
Staff member

In the wake of the Facebook/Cambridge Analytica scandal, it’s easy to imagine that companies are now more careful when it comes to privacy matters—but it seems that isn’t the case. A bug on the website of phone tracking service LocationSmart allowed anyone to see the real-time location of US cell phone users, and without their consent.

LocationSmart aggregates the data of phones connected to AT&T, Sprint, T-Mobile, and Verizon, obtaining locations from nearby cell towers, KrebsOnSecurity reports. The company, which said it provides this service only for legitimate and authorized services, offered a demonstration of these tracking abilities on its website.

The free trial allowed a potential customer to type in a phone number, at which point that number would receive a consent text. Once the person replies with a “yes,” their location would be revealed. But an error in the API allowed anyone without a password or any other form of authentication to do a search, and the locations were revealed without people’s consent.

Carnegie Mellon University researcher Robert Xiao uncovered the bug. “I stumbled upon this almost by accident, and it wasn’t terribly hard to do. This is something anyone could discover with minimal effort,” he told Krebs. Xiao posted technical details of his find here.

Xiao said the error might have exposed around 200 million cell phone users in the US and Canada. The free demo has now been removed from the website.

LocationSmart founder and CEO Mario Proietti told Krebs: "We don't give away data. We make it available for legitimate and authorized purposes. It’s based on legitimate and authorized use of location data that only takes place on consent. We take privacy seriously, and we’ll review all facts and look into them.”

News of the bug came just five days after the New York Times story on prison telecom company Securus, a customer of LocationSmart. The publication revealed how a former police sheriff used the firm to get location data without a warrant.

Permalink to story.

https://www.techspot.com/news/74696-tracking-firm-website-bug-leaked-location-almost-all.html

 
You know, I'm getting to the point that I believe ANY of these companies that failed to secure your data should be criminally prosecuted with mandatory sentencing that especially includes ALL corporate officers. There has been more than enough time for them all to get the word. Profits are no excuse, especially when they are making money off of all of us.
 
  • Like
Reactions: JaredTheDragon, mbrowne5061 and wiyosaya
Putting my conspiracy tin foil hat on....

I don't believe any of these are TRUE "bugs"... they are intentional and secretly mandated by the US government.
 
  • Like
Reactions: JaredTheDragon
Uncle Al said:
You know, I'm getting to the point that I believe ANY of these companies that failed to secure your data should be criminally prosecuted with mandatory sentencing that especially includes ALL corporate officers. There has been more than enough time for them all to get the word. Profits are no excuse, especially when they are making money off of all of us.
Click to expand...
(y) Probably won't happen at the federal level, though, with this Make America Garbage Again motto.
 
TheBigT42 said:
Putting my conspiracy tin foil hat on....

I don't believe any of these are TRUE "bugs"... they are intentional and secretly mandated by the US government.
Click to expand...

The number of engineers they would have to bribe to hide an industry-wide conspiracy would be mind-boggling and wouldn't last anyway; engineers love to brag about their accomplishments. More likely, it is as it seems: a systemic lack of ethics amongst software engineers who aren't doing enough asking of "should"-type questions, and too much asking of "could"-type.
 
mbrowne5061 said:
TheBigT42 said:
Putting my conspiracy tin foil hat on....

I don't believe any of these are TRUE "bugs"... they are intentional and secretly mandated by the US government.
Click to expand...

The number of engineers they would have to bribe to hide an industry-wide conspiracy would be mind-boggling and wouldn't last anyway; engineers love to brag about their accomplishments. More likely, it is as it seems: a systemic lack of ethics amongst software engineers who aren't doing enough asking of "should"-type questions, and too much asking of "could"-type.
Click to expand...

Again with "the numbers would have to be mind-boggling to hide this kind of thing". It's old hat. Obviously you aren't aware of how easily these numbers are achieved and kept secret, such as the Manhattan Project (some 100,000 people, allegedly) or the National Reconnaissance Office, the largest and most heavily-funded branch of intelligence that was top secret for thirty years. Five to ten million people work for the NRO, directly or indirectly. Six million people work for Langley. You've obviously never even heard of the NRO, which shows how well you do your research.

And you think that large numbers make conspiracies impossible...
 
Honest mistake by LocationSmart. As their CEO said, "We don't give away data.."
why would they when there is so much money to be made selling it. Offer enough cash, won't matter who you are.
 
senketsu said:
Honest mistake by LocationSmart. As their CEO said, "We don't give away data.."
why would they when there is so much money to be made selling it. Offer enough cash, won't matter who you are.
Click to expand...
And did the CEO ever define "legitimate and authorized purposes"?
 
  • Like
Reactions: senketsu
You must log in or register to reply here.

Similar threads

Daniel Sims
Google's Find My Device network could be rolling out very soon
Replies
2
Views
106
theotherdave
theotherdave
A
An old and unreleased beta build of Windows 7 has leaked online
Replies
8
Views
151
ZedRM
ZedRM
Daniel Sims
Star Wars Battlefront II (2017) receives new dedicated server browser, mod launcher, and other features from fans
Replies
1
Views
101
MakeMSGreatAgain
M

Latest posts

Back