LocationSmart's phone-tracking bug allow anyone to track phone's location in real time

The U.S. based tracking company, LocationSmart which aggregates data about the real-time location of mobile phone devices, has a potential bug that could allow anyone access to the data of millions of Americans.

While the bug allow access to data without the need for any password or other form of authentication or authorization, according to security research firm, KrebsOnSecurity.

LocationSmart buys these geolocation from the major US wireless carriers, like T-Mobile, Verizon, AT&T and Sprint; even though the wireless carriers are not permitted to submit the location data to the government, they are allowed to sell to businesses for advertising purposes.

The LocationSmart's website has a bug that makes verifying that a person received the required consent to access the data wasn't properly done.

KrebsOnSecurity cites Robert Xiao, a security researcher at Carnegie Mellon University who after the coverage of Securus and LocationSmart bug, had been poking around a demo tool that LocationSmart makes available on its Web site for potential customers to try out its mobile location technology.

All Xiao needed to do to get access was to have the website return a different format for his requests.

The demo on LocationSmart’s website is a free service that allows anyone to see the approximate location of their own mobile phone, just by entering their name, email address and phone number into a form on the site; which it sends a text to the phone number given by the user and requests permission to ping that device’s nearest cellular network tower.

LocationSmart will then text the subscriber their approximate longitude and latitude, plotting the coordinates on a Google Street View map, once the consent is confirmed.

But the bug is that the service failed to perform basic checks to prevent anonymous and unauthorized queries, which vulnerability could allow anyone with a modicum of knowledge about how Web sites work abuse the LocationSmart demo site to figure out how to conduct mobile number location lookups without having to supply a password or other credentials.

The company has acknowledged the flaw by taking its demo page offline, albeit no official statement has been released as at the time of this post.
Next Post »