Earlier this week, it was reported that a company called LocationSmart partners with U.S. carriers to sell people's real-time location to all sorts of third parties. This news came as a rather unpleasant surprise on its own, but it's now been discovered that a bug on LocationSmart's website exposed the real-time location for around 200 million individuals.
According to ZDNet, LocationSmart used to feature a tool on its website that allowed you to try its tracking service before you bought it. With the consent of a friend or colleague, you could use LocationSmart's system to track their location for free. After entering your friend's number, they'd receive a text to confirm it was okay for their location to be tracked, and you'd be able to see where in the world they're at.
However, as noted by Robert Xiao, a Ph.D. student at Carnegie Mellon University —
Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location. The implication of this is that LocationSmart never required consent in the first place.
What sort of bug are we talking about? Per ZDNet —
Xiao said one of the APIs used in the "try" page that allowed users to try the location feature out was not validating the consent response properly. Xiao said it was "trivially easy" to skip the part where the API sends the text message to the user to obtain their consent.
That "try" page has since been removed from LocationSmart's site, and according to a spokesperson from the company, "the vulnerability was not exploited prior to May 16, and did not result in any customer information being obtained without their permission."
Even so, this exploit potentially exposed the real-time location for around 200 million people in the United States and Canada and LocationSmart hasn't provided any evidence to back up its claim that no info was stolen.