A tracking website’s demo tool has allegedly leaked the real-time location of almost every mobile phone users in the United States.
LocationSmart, a company that offers tracking services, has reportedly allowed anyone to see the real-time location of smartphone users in the United States through a demo tool on its website. The incident was allegedly triggered by a bug in the tool’s system.
LocationSmart’s services involve collecting aggregated real-time data of the exact location of every mobile phone devices in the U.S. They obtain the positions by using the nearby cell towers of mobile carriers like AT&T, Sprint, T-Mobile, and Verizon.
The company then offered a free demonstration of its tracking services via its website. All a potential customer has to do is type the phone number of a person. It will prompt the system to send a consent text to the owner of the number. If the person replies “yes,” his or her location would be revealed.
However, a bug on the API of the system has enabled anyone without a website password or form of authentication to do a search and see the location of virtually every U.S. mobile phone user without their consent.
“I stumbled upon this almost by accident, and it wasn’t terribly hard to do,” Robert Xiao, a researcher at the Carnegie Mellon University who discovered the bug, said. “This is something anyone could discover with minimal effort. And the gist of it is I can track most people’s cell phones without their consent.”
According to Xiao, he was able to track a friend’s number by pinging his mobile network multiple times. He then plugged the coordinates into Google Maps and was able to follow his friend’s directional movement.
When asked for comment about the incident, LocationSmart founder and CEO Mario Proietti told KrebsonSecurity:
“We don’t give away data,” Proietti said. “We make it available for legitimate and authorized purposes. It’s based on legitimate and authorized use of location data that only takes place on consent. We take privacy seriously, and we’ll review all facts and look into them.”
The company has already taken down the compromised service offline yesterday afternoon right after Krebs contacted them.