A popular phone tracking app was found to be leaking sensitive data of millions of users.
A security researcher named Eric Daigle discovered the flaw in iSharing, a mobile device tracking app with more than 10 million downloads on the Google Play Store alone.
By exploiting the vulnerability, Daigle was able to obtain the exact coordinates of any user, even if those users were not actively sharing their location with anyone else.
Improving security
While knowing someone’s precise location is a major security risk in itself, iSharing’s problems didn’t stop there. Daigle was also able to obtain users’ names, profile photos, and even phone numbers and email addresses used to log into the app.
This is more than enough information for someone who is putting a house on the line and waiting for the owner to move out before breaking in.
Daigle goes into more detail about the findings on his blog, which you can read here. The bottom line is that iSharing’s servers did a poor job of controlling who got access to whose location data.
The researcher came across the flaw during a broader investigation into the security of mobile location tracking applications. He contacted the developers, who reportedly did not return his calls. Then he sought help TechCrunch who were also the ones who broke the news.
“We are grateful to the researcher who discovered this problem so we could get ahead of it,” said Yongjae Chuh, co-founder of iSharing. TechCrunch in an email. “Our team currently plans to work with security professionals to add the necessary security measures to ensure that every user’s data is protected.”
The company later confirmed that a feature in the app called groups was flawed. The good news is that there is no evidence that anyone discovered the vulnerability before Daigle. A solution has now been implemented.