Hugely popular family tracking app leaked locations in real time

25 Mar 2019

Image: © Petr Ciz/Stock.adobe.com

One of the most downloaded family tracking apps was found to have been leaking users’ locations online in real time.

In a major case of irony, an app designed to help parents see where their children are at any given moment for their protection could have allowed anyone to see where they were without needing access to a secure account.

According to TechCrunch, the Family Locator app designed by Australian company React Apps was leaking the real-time locations of its nearly quarter-of-a-million users for a number of weeks. Rather than storing it in a secure server, the developers were storing the location information in an entirely unencrypted, easily accessible MongoDB server.

The discovery was made by security researcher Sanyam Jain, who is also a member of the non-profit GDI Foundation, which advocates for a safer and open internet. After reviewing the database, Jain found that each of the account records contained personal information and a plaintext version of user passwords.

Also included were records of the location of the account holders and their family members, with a precision down to just a few metres, as well as named coordinates for geofenced areas set up by parents to alert them if their child strayed from a given location. All of this data, Jain said, was unencrypted, and subsequent tests and correspondence with other users confirmed that their location was being uploaded to the open server within a matter of seconds.

TechCrunch’s attempts to contact React Apps provided no answers, with its website and privacy policy providing little, if any, information on its owners and office location. However, after the existence of the open server was brought to the attention of Microsoft – which hosted it on its Azure platform – it was quickly removed.

This isn’t the first time that the locations of a product’s users have been exposed for anyone to see, as last year a researcher discovered a bug in the LocationSmart website that allowed tracking of millions of phones.

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com