Skip to main content

Around 200 million people had their real-time location exposed by LocationSmart

Earlier this week, it was reported that a company called LocationSmart partners with U.S. carriers to sell people's real-time location to all sorts of third parties. This news came as a rather unpleasant surprise on its own, but it's now been discovered that a bug on LocationSmart's website exposed the real-time location for around 200 million individuals.

According to ZDNet, LocationSmart used to feature a tool on its website that allowed you to try its tracking service before you bought it. With the consent of a friend or colleague, you could use LocationSmart's system to track their location for free. After entering your friend's number, they'd receive a text to confirm it was okay for their location to be tracked, and you'd be able to see where in the world they're at.

However, as noted by Robert Xiao, a Ph.D. student at Carnegie Mellon University —

Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location. The implication of this is that LocationSmart never required consent in the first place.

What sort of bug are we talking about? Per ZDNet

Xiao said one of the APIs used in the "try" page that allowed users to try the location feature out was not validating the consent response properly. Xiao said it was "trivially easy" to skip the part where the API sends the text message to the user to obtain their consent.

That "try" page has since been removed from LocationSmart's site, and according to a spokesperson from the company, "the vulnerability was not exploited prior to May 16, and did not result in any customer information being obtained without their permission."

Even so, this exploit potentially exposed the real-time location for around 200 million people in the United States and Canada and LocationSmart hasn't provided any evidence to back up its claim that no info was stolen.

All major U.S. carriers give your real-time location info to third parties

Joe Maring was a Senior Editor for Android Central between 2017 and 2021. You can reach him on Twitter at @JoeMaring1.

  • So what gives LocationSmart the right to take my location and sell it to third parties? When did I consent to this?
  • You agreed when you signed up for cell service, so you can thank your carrier for passing on your location data.
  • You don't have to consent. You did for a short period (Dec 2, 2016 - March 31, 2017) because of an FCC rule that protected your online privacy. That rule was stripped by the current congress, along straight party lines, who said big businesses like AT&T and Verizon needed extra protections.
  • Yep.
    You need to write another article on this, so people can understand better what the hell is going on. :)
  • The fact that third parties can buy the ability to track people... The fact that business was allowed to exist.. Is disgusting. Thank your American federally elected lawmakers that don't debate, don't read, & don't really care about the legislation they pass... As long as the lobbyist price is right.
  • Blame blame blame
  • Why not? American feds are a joke... The best government money can buy (& the third branch, the Supreme Court, ruled there is no limit to political buying). LocationSmart can not exist in countries like Canada or the UK.
  • Agreed. I didn't consent to any of this.
  • Time to make a HUGE social media event about this. I think I'll start on Twitter. #StopLocationSmart
  • You'd probably have more of an impact on Facebook, even with their screwy sort algorithm that thinks it knows best on what we want to see at the top of our feeds.
  • So even if you have locations turned off, carrier still have access to your location?
  • Yes, how do you think it knows when to switch even if our phone is off and the battery is in it they can track you if the wish. All they have to do is have you your phone ping a granted if you are in the middle of nowhere it will be off by 500 to 1500ft
    If in a city with multiple towers they can get it down to about plus or minus 3ft.
  • Misleading headline for the article. You clarify in the last two paragraphs there is no evidence one way or the other that location data were actually exposed. We should be skeptical of the company's claim but you also need to be responsible and not write a headline you can't back up with facts.
  • What? All major U.S. carriers give your real-time location info to third parties
  • Mass data collection and analysis is very different and anonymous.
    This is as bad as it gets due to being personal and unregulated.
  • WTF, now ???? This is really getting worse and worse by a day.
    Idk how we can put to stop this monster we allowed to be created.
    Maybe we can do it , once the people elected for the office start representing those who voted them in and actually feel beholden to the average Joe on the street not their donors.
    As of now, US has the worst and most corrupt government in the developed world. From health care to education system, environment protection, etc. For God's sake even the bribery is legalized - lobbying, Campaign donations, expenditures, etc.
    We gotta get "we the people" back into the political system, ASAP. Money out of politics, now!
  • Why are "WE" as consumer's just hearing about this sort of practice? Seriously. Take a moment or so to think about this. Why should you? Anyone who has a Microsoft Windows program is all too aware of this same business practice. EXCEPT who has stopped to consider just how long Microsoft was doing that?!
    Thanks (sarcastic or genuine) isn't owed to any political party (they create much better on their own) or whatever Brand/Carrier you're reading this on. No, none of them are at fault! SPOILER ALERT!! SPOILER ALERT...
    EVERYONE AND ANYONE who has a mobile device or EVEN COMES INTO CONTACT WITH SOMEONE WHO HAS 1 (granted probably more yet!) ARE ALL AT FAULT. Take a bow so that it has time to settle in...
    When I was growing up with VCR technology (those old enough are going to have fond memories while the DVR generation are either going to Wikipedia or some other source of answer to try making sense of this) WE were in control of all the information around us all the time! Age didn't matter. The size of your TV screen didn't matter!
    The gossip queen from the end of the street approaching gave 2 options. You stood & listened, maybe took note's or added to it. OR because you had that vhs tape waiting for you full of an hour to an hour and a half of your favorite commercials, you walked away! Maybe even met any greetings with "DON'T TELL ME! I HAVE IT RECORDED/RECORDING!!"
    These breaches of trust that are making headlines now can & are happening whether we take part or not now. Share something interesting with a friend & what eventually happens? It wind's up on some mobile device and/or social media outlet!
    To some I may be a middle aged nut (possibly worse!) yet I am willing to make 2 bet's right now. 1) The only reason for the news coverage suddenly (as Microsoft has only just started to spy on us now wink wink ;-) ) while some ad jockey writes a cheque for the latest list of potential marketing, made someone else mad about stealing away THEIR commission or whatever so ran out to the street to declare it. Bet on it!
    Bet #2! Some of you may have a legit gripe or 2 about this very article. Maybe some of you are a bit scared what else is now known about you, again possibly legitimate reason for it. Bet NOBODY will take the stance we did around those vhs tape's! Big deal if are still reading this & agree or not. By now quite a few have moved on already with their choice of name's/label's. By tomorrow they may let what I said cross their conscious thought as they once again delve into the same matter that made this all happen... As I said. 2 bet's right now. #1 Someone else felt cheated/screwed out/over & started talking. #2 Nobody is actually going to do anything to stop it from continuously happening!