Loading stock data...
Technology

Security Flaws in Popular Phone-Tracking App “iSharing” Exposed Users’ Precise Locations

Investorintel
location leak tracking map

Last week, when a security researcher said he could easily obtain the precise location from any one of the millions of users of a widely used phone-tracking app, we had to see it for ourselves.

Eric Daigle, a computer science and economics student at the University of British Columbia in Vancouver, found the vulnerabilities in the tracking app iSharing as part of an investigation into the security of location-tracking apps. iSharing is one of the more popular location-tracking apps, claiming more than 35 million users to date.

The Vulnerabilities

Daigle said the bugs allowed anyone using the app to access anyone else’s coordinates, even if the user wasn’t actively sharing their location data with anybody else. The bugs also exposed the user’s name, profile photo and the email address and phone number used to log in to the app.

The bugs meant that iSharing’s servers were not properly checking that app users were only allowed to access their location data or someone else’s location data shared with them. Location-tracking apps — including stealthy’stalkerware’apps— have a history of security mishaps that risk leaking or exposing users’ precise location.

Demonstrating the Vulnerability

It took Daigle only a few seconds to locate this reporter down to a few feet. Using an Android phone with the iSharing app installed and a new user account, we asked the researcher if he could pull our precise location using the bugs.’770 Broadway in Manhattan?’ Daigle responded, along with the precise coordinates of TechCrunch’s office in New York from where the phone was pinging out its location.

The security researcher pulled our precise location data from iSharing’s servers, even though the app was not sharing our location with anybody else.

Contacting the App Makers

Daigle shared details of the vulnerability with iSharing some two weeks earlier but had not heard anything back. That’s when Daigle asked TechCrunch for help in contacting the app makers. iSharing fixed the bugs soon after or during the weekend of April 20-21.

"We are grateful to the researcher for discovering this issue so we could get ahead of it," iSharing co-founder Yongjae Chuh told TechCrunch in an email. "Our team is currently planning on working with security professionals to add any necessary security measures to make sure every user’s data is protected."

iSharing blamed the vulnerability on a feature it calls groups, which allows users to share their location with other users. Chuh told TechCrunch that the company’s logs showed there was no evidence that the bugs were found prior to Daigle’s discovery. Chuh conceded that there ‘may have been oversight on our end,’ because its servers were failing to check if users were allowed to join a group of other users.

The Proof-of-Concept Script

TechCrunch held the publication of this story until Daigle confirmed the fix.’Finding the initial flaw in total was probably an hour or so from opening the app, figuring out the form of the requests, and seeing that creating a group on another user and joining it worked,’ Daigle told TechCrunch.

From there, he spent a few more hours building a proof-of-concept script to demonstrate the security bug. Daigle, who described the vulnerabilities in more detail on his blog, said he plans to continue research in the stalkerware and location-tracking area.

The Importance of Location Data Security

Location data is highly sensitive information that can be used for malicious purposes if not handled properly. With the widespread use of location-tracking apps, it’s essential that these companies prioritize security and take measures to prevent such vulnerabilities from occurring.

Related Stories

  • A family tracking app was leaking real-time location data: A report by TechCrunch revealed that a popular family tracking app was exposing users’ precise location data without their consent.
  • Online gift card store exposed hundreds of thousands of people’s identity documents: An online gift card store was found to have left thousands of user records, including sensitive information like names and email addresses, exposed on the internet.

Conclusion

The vulnerability in iSharing’s app highlights the need for location-tracking companies to prioritize security and take measures to prevent such vulnerabilities from occurring. As more people rely on these apps to track their loved ones or themselves, it’s crucial that these companies ensure they are handling user data responsibly.

Recommendations for Location-Tracking App Developers

  1. Implement robust access controls: Ensure that users can only access their own location data or the location data of others with whom they have shared permission.
  2. Regularly update and patch software: Regularly review your app’s code, identify vulnerabilities, and fix them promptly to prevent exploitation by hackers.
  3. Conduct security audits: Regularly conduct thorough security audits to identify potential vulnerabilities before they are exploited.
  4. Implement encryption: Encrypt sensitive user data, such as location information, to protect it from unauthorized access.

By taking these measures, location-tracking app developers can help ensure the safety and security of their users’ personal data.

Subscribe for More Updates

Stay informed about the latest developments in tech and security by subscribing to our newsletter.

Related Posts

tc disrupt 2022 post startup battlefield 200 featured
TechCrunch Startup Battlefield

TechCrunch Startup Battlefield is expanding its influence as the tech ecosystem continues to grow exponentially in size and complexity since its early