Tracking firm's website bug leaked location of nearly all U.S. cell phones

Galtero Lara
May 18, 2018

"And the gist of it is I can track most people's cell phones without their consent".

"LocationSmart was basically giving free-for-alls to anyone", he said. Earlier this week, ZDNet followed up on the Times report, revealing that Securus obtains its data through an intermediary called LocationSmart - a firm that has the ability to track any phone on Verizon, AT&T, T-Mobile or Sprint in seconds.

LocationSmart's demo page has been pulled offline, and the company did not respond to a request for comment.

"I had a friend driving around Hawaii, and I watched him driving around the island with his permission", Xiao said.

Xiao said the error might have exposed around 200 million cell phone users in the U.S. and Canada.

Xiao first tried it on his own phone, and then asked several of his friends to see if he could try it with their phone numbers. Another source said the location found by the researcher was 1.5 miles away from his current location.

More news: Hawaii volcano erupts from summit, sends huge plume into sky

Xiao published a detailed description of the demo bug.

LocationSmart founder and CEO Mario Proietti told Krebs he never meant to give away the service. It showed how a simple changes to the Web requests that made the demo worked were able to bypass the requirement a location be queried only after a phone user approved. "We make it available for legitimate and authorized purposes". While wireless carriers aren't allowed to provide location data to the government, they have complete free reign to sell that data to other businesses - many which have taken advantage of this loophole. "We take privacy seriously, and we'll review all facts and look into them".

News of the bug came just five days after the New York Times story on prison telecom company Securus, a customer of LocationSmart. Motherboard later reported that Securus experienced its own security breach that exposed the usernames and weakly protected passwords of thousands of Securus customers.

The parade of bad privacy news this week has managed to get even worse, as one of the companies associated with the selling of phone locations for cash scandal was subject to a publicly exploitable bug.

Krebs contacted all four of the major U.S. mobile carriers, and all declined to confirm or deny a formal business relationship with LocationSmart, despite LocationSmart displaying the carriers' corporate logos on its website. The service has now been taken down, following the notification by Krebs on Security.

Otros informes por

Discuta este artículo