SocationSmart site bug exposed the location of millions US citizens

LocationSmart bug is responsible for revealing the location data of almost any US phone

LocationSmart – a company providing cell phone location-tracking services – was discovered to have a serious bug on its website. Thanks to this bug, anyone who is aware about this problem, was allowed to look up the location of phones from various network providers in the United States, such as AT&T, Verizon, Sprint and T-Mobile.

The bug was discovered in a demo that LocationSmart posted on their website. This demo sent a text message to a device to receive the permission from its owner before pinging the nearest cell phone tower. It was used to show people that the demo is capable of approximating their phones’ locations using from nearby cell tower via Google Maps.

Robert Xiao, a doctoral student at Carnegie Mellon University's Human-Computer Interaction Institute, was the one who discovered^[1] the bug after seeing news articles of the previous incidents^[2] of data tracking which involved the usage of LocationSmart. He then instantaneously contacted US-CERT and shared the information with independent security journalist Brian Krebs, who later published a report^[3] about the matter.

Anyone with elementary IT knowledge could have exploited the bug

As it was detailed in a separate write-up by Xiao, the problem was with the demo’s insecure API.^[4] As a result, any person who has IT-related knowledge was capable of interacting with the site in a way that allows him/her to put any phone number and get phone’s particular location without owner's consent and knowledge.

Xiao said that the bug involves requesting location data in JSON format instead of the default XML:

If you make the same request with requesttype=locreq.json, you get the full location data, without receiving consent. This is the heart of the bug. Essentially, this requests the location data in JSON format, instead of the default XML format. For some reason, this also suppresses the consent (“subscription”) check.

In short, an unused location tracking mode in their locator demo did not properly validate that consent was received. I estimate that it took me around 15 minutes to find and develop the exploit – not a long time at all. I would not consider it a hard bug to find.

Krebs and Xiao tried the whole thing themselves. They were able to locate five people’s phones (with their consent) within 100 yards to 1,5 miles using Xiao’s discovered method. At the moment, the trial version is taken down, and a spokesperson from LocationSmart told that vulnerability is now resolved. There are no plans so far to reintroduce the trial version of the site.

Bugs found by security researchers help people avoid the loss of personal data of millions

Xiao is not convinced if this vulnerability had not been exploited before, as he found an archived version of the site back to January 2017. LocationSmart's representative says that she is confident that the bug had not been exploited before May 16th and none of the data was obtained or shared without users' knowledge. She also noted that the company is continually trying to improve its security measures and that this incident has already taught LocationSmart a valuable lesson.

In the meanwhile, AT&T representative points out that the company does not allow data sharing, unless law enforcement demands it or the permission is obtained from the targeted individual. Other mobile network providers simply urge users to read privacy policies before accepting them.

Xiao's discovery might have saved private data of multiple users. Nevertheless, there are countless websites which harvest a significant amount of data, and nobody is entirely secure. Data breach is a serious issue as more and more breaches are discovered each day.^[5]

As a result of this particular incident, at least one US senator has asked the FFC to inflict stricter laws on data carriers.