A popular phone tracking app was found to be leaking sensitive data on millions of its users.
A security researcher named Eric Daigle discovered the flaw in iSharing, a mobile app for device tracking with more than 10 million downloads on the Google Play Store, alone.
By abusing the vulnerability, Daigle was able to obtain every user’s exact coordinates, even if those users weren’t actively sharing their location with anyone else.
Improving security
While knowing someone’s precise location is a major security risk on its own, iSharing’s woes didn’t stop there. Daigle was also able to uncover users’ names, profile photos, and even phone numbers and email addresses used to log into the app.
This is more than enough information for someone who will stake a house and wait for its owner to leave, before breaking in.
Daigle goes in-depth on the findings on his blog, which you can read here. The gist of it is that iSharing’s servers were doing a poor job checking who was allowed to access whose location data.
The researcher stumbled upon the flaw during a wider investigation into the security of location-tracking mobile applications. He reached out to the developers which allegedly did not return the call. After that, he sought the help from TechCrunch who were the ones to break the news, too.
“We are grateful to the researcher for discovering this issue so we could get ahead of it,” iSharing co-founder Yongjae Chuh told TechCrunch in an email. “Our team is currently planning on working with security professionals to add any necessary security measures to make sure every user’s data is protected.”
The company later confirmed that a feature in the app, called groups, was flawed. The good news is that there is no evidence of anyone discovering the vulnerability before Daigle. A fix has since been deployed.