STE WILLIAMS

LocationDumb: phone tracker foul-up exposes world+dog to tracking

The parade of bad privacy news this week has managed to get even worse, as one of the companies associated with the selling of phone locations for cash scandal was subject to a publicly exploitable bug.

Researcher Robert Xiao says LocationSmart was running a site riddled with vulnerabilities that could allow anyone to look up the location of virtually any mobile phone in the US. Xiao says he reported the bug to the company, who has since patched it on their site.

Xiao, currently at Carnegie Mellon University (he’s set to become an assistant professor at the University of British Columbia this Fall), found that a demo feature the company offers on its site could be abused to look up the location of anyone without their knowledge.

LocationSmart was among the companies dragged into the public eye this week when it was named among the location-tracking sources used by Securus, a US telco accused of illegally giving tracking data to police. LocationSmart pitches its services for areas like opt-in marketing, company device management, and Internet of Things services.

To help sell its tracking services (for legitimate uses), LocationSmart allows users to perform a “demo” search by entering their own phone number, replying to an opt-in test, then seeing their own location.

Normally, the opt-in feature would protect user privacy by only letting a user track a phone they owned. Unfortunately, as Xiao found, simply editing one line of POST request sent to the site – and asking for the location as a .json instead of an XML snippet- bypasses the requirement for this check.

“Essentially, this requests the location data in JSON format, instead of the default XML format,” Xiao explains.

“For some reason, this also suppresses the consent (‘subscription’) check.”

Xiao also provided a proof of concept script to show how the (since patched) vulnerability could be exploited in the wild.

LocationSmart did not respond to a request for comment on the matter. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/18/phone_tracker_foulup/

  • 18/05/2018
  • adm
Comments are closed.