200 million people across U.S. and Canada had real-time location exposed
A company that collects location data from millions of cellphones across North America reportedly revealed the real-time location of over 200 million people due to a website bug.
LocationSmart is a company that compiles cellular data and sells it to third parties, such as app developers, to verify users’ locations or send location-based promotions, reports CNN. LocationSmart once featured a tool on its website that allowed users to try out its tracking services before buying them.
WATCH: What you should do if your email gets hacked
Users could enter the phone number of another person, and – with their consent – track their location for free. After entering their information, they’d receive a text asking them to confirm that they gave permission for their location to be tracked. Once they’d given permission, LocationSmart texts the subscriber their approximate longitude and latitude, plotting the coordinates on a Google Street View map.
However, due to a bug on the site, this feature never required the consent of smartphone users before tracking their location. The flaw was discovered by Carnegie Mellon University researcher Robert Xiao and first reported Thursday by the security news site KrebsOnSecurity.
WATCH: How online giants are tracking, buying, selling your information
The cybersecurity blog said in a post that it “verified” that the vulnerability could be exploited to reveal the location of “any” phone on the four major networks in the United States. LocationSmart touts itself as the “world’s largest location-as-service company,” and claims to obtain information from all major U.S. and Canadian wireless companies, with 95 per cent coverage.
“This is really creepy stuff,” Xiao told KrebsOnSecurity, adding that he’d also successfully tested the vulnerable service against one Telus Mobility mobile customer in Canada who volunteered to be found.
“I stumbled upon this almost by accident, and it wasn’t terribly hard to do,” Xiao continued. “This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples’ cell phone without their consent.”
This comes shortly after a firm called Securus Technologies was accused of providing location data on mobile customers to a former Missouri sheriff accused of using the data to track people without a court order.
WATCH: Keeping tabs on kids using GPS tracking technology?
Xiao told the Associated Press that he could type in any ten-digit phone number, and “get anyone’s location.” Xiao found a flaw that allowed him to bypass consent from the user being tracked in just 15 minutes on the site, and determined that one didn’t need sufficient technological knowledge to do the same.
“It would not take anyone with sufficient technical knowledge much time to find this,” he said. His research determined that LocationSmart has been offering this service at least since January 2017.
Rich Young, a spokesperson for Verizon, said the company has taken steps to ensure that Securus can no longer request information on the company’s wireless customers and that it would be reevaluating its relationship with LocationSmart. T-Mobile similarly told the Associated Press that it has “addressed issues that were identified with Securus and LocationSmart.”
Representatives for AT&T and Sprint said they don’t allow sharing of location information without individual consent or a lawful order, such as a warrant.
WATCH: Cambridge Analytica closes its doors after data scandal
Gigi Sohn, a former top aide at the FCC during the Obama administration, said user location data has been at high risk since last year. That’s when Congress repealed FCC privacy rules barring mobile wireless carriers from sharing or selling it without customers’ express “opt-in” consent.
“At a bare minimum, consumers should be able to choose whether a company like LocationSmart should have access to this data at all,” she said.
-With a file from the Associated Press.