200m mobile users in the United States and Canada may have had their personal location data exposed by a bug in the website of a prominent location tracking firm. LocationSmart, which provides real-time location data on mobile users, has already been embroiled in scandal this month.
Last week, it was revealed that LocationSmart had direct access to location data from AT&T, Verizon, T-Mobile and Sprint when a Senator questioned how a former police sheriff was able to access phone location data without a warrant. The sheriff accessed the information through Securus, a prison technology company, which in turn received the data from LocationSmart.
The firm is one of a handful of location aggregation companies operating in the US, and boasts coverage of 95 per cent of the US thanks to deals with all the major US carriers, as well as with Canadian operators like Bell, Rogers and Telus. However, whether explicit consent for third-party location sharing had been secured by all the operators it deals with is unclear.
Now, with LocationSmart at the centre of a data privacy row, a security researcher at Carnegie Mellon University has discovered a simple bug in the firm's website that places the location data of around 200m users at risk.
LocationSmart's website included a 'try-before-you-buy" page, where potential customers could test the accuracy of its data. Normally, this page required explicit consent from the phone user being tracked, obtined via SMS. However, a bug in the website meant that anyone could be tracked, without the need for permission.
"Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location," said Robert Xiao, a PhD student at the Human-Computer Interaction Institute at Carnegie Mellon University who discovered the bug, in a call with ZDNet. "The implication of this is that LocationSmart never required consent in the first place. There seems to be no security oversight here."
According to LocationSmart, it has confirmed that the vulnerability had not been exploited prior to Xiao's investigation, and no customer information has been obtained without their permission, but it has supplied no evidence to support this claim. LocationSmart has removed the service which included the vulnerability from its website.
"This leak, coming only days after the lax security at Securus was exposed, demonstrates how little companies throughout the wireless ecosystem value Americans' security," said Senator Ron Wyden, who last week called on networks to end third-party data sharing. "It represents a clear and present danger, not just to privacy but to the financial and personal security of every American family."
With GDPR about to come into force for European consumers, it appears as though American legislators are finally considering their own approach to data privacy and protection.