More than 238,000 individuals users have had their family’s real-time location exposed for weeks on end after an app developer left sensitive data exposed on the internet, without a password.
Many users of “Family Locator”, an iOS app developed by React Apps, is promoted as a tool for helping users stay informed about the location of their loved ones. For a one-off payment, the app’s Australian developers offer to let you follow up to 10 family members or friends, getting “instant alerts when your loved one enters or exits a location” and providing a “detailed location history up to last three days.”
It’s easy to imagine how some might view such an app as a way of reassuring themselves that a partner has left or reached their office, or that kids have arrived at school safely.
But anyone who needs such reassurance probably is not going to be happy at all hearing that such sensitive information about their loved ones real-time whereabouts was accessible to anyone with an internet connection.
As TechCrunch reports, Family Locator’s MongoDB database was left utterly unprotected, unencrypted, and without any form of password protection on an internet server:
“Based on a review of the database, each account record contained a user’s name, email address, profile photo and their plaintext passwords. Each account also kept a record of their own and other family members’ real-time locations precise to just a few feet. Any user who had a geofence set up also had those coordinates stored in the database, along with what the user called them – such as ‘home’ or ‘work.'”
Security researcher Sanyam Jain discovered the data breach and informed TechCrunch who were able to confirm that the exposed database was continuing to record users’ real-time locations by signing up for an account using a dummy email address.
TechCrunch also contacted a user whose privacy had been exposed, who confirmed their leaked location information was accurate, and that a family member listed in the app was their child at a nearby high school.
Normally at this stage you would expect to hear that the journalists or researchers got in touch with the developers and urged them to shut down the security hole as a matter of priority.
On this occasion, however, TechCrunch reports that it spent over a week trying to contact React Apps to no avail. The company’s website contains no contact information, its WHOIS record is privacy-protected, and messages posted in an online feedback form were not answered. The journalists even went to the effort of purchasing the firm’s business records, which revealed the company owner’s name but still provided no contact information.
Ultimately, with no other options available, TechCrunch contacted Microsoft. As the exposed database was hosted on Microsoft’s Azure cloud server platform, it seems they were able to reach the developer and some hours later the database was finally taken offline.
There has still been no official statement from React Apps acknowledging the data breach or warning its users that a security incident has occurred through its own sloppiness.
We should be grateful for the persistence of TechCrunch and security researcher Sanyam Jain for working hard to get the problem fixed, and not giving up when they were confronted with a brick wall each time they attempted to reach the people responsible.