One of the most downloaded family tracking apps was found to have been leaking users’ locations online in real time.
In a major case of irony, an app designed to help parents see where their children are at any given moment for their protection could have allowed anyone to see where they were without needing access to a secure account.
According to TechCrunch, the Family Locator app designed by Australian company React Apps was leaking the real-time locations of its nearly quarter-of-a-million users for a number of weeks. Rather than storing it in a secure server, the developers were storing the location information in an entirely unencrypted, easily accessible MongoDB server.
The discovery was made by security researcher Sanyam Jain, who is also a member of the non-profit GDI Foundation, which advocates for a safer and open internet. After reviewing the database, Jain found that each of the account records contained personal information and a plaintext version of user passwords.
Also included were records of the location of the account holders and their family members, with a precision down to just a few metres, as well as named coordinates for geofenced areas set up by parents to alert them if their child strayed from a given location. All of this data, Jain said, was unencrypted, and subsequent tests and correspondence with other users confirmed that their location was being uploaded to the open server within a matter of seconds.
This isn’t the first time that the locations of a product’s users have been exposed for anyone to see, as last year a researcher discovered a bug in the LocationSmart website that allowed tracking of millions of phones.