Last week, we had to see it for ourselves when a security researcher claimed he could easily obtain the precise location from any one of the millions of users of a widely used phone-tracking app. Eric Daigle, a computer science and economics student at the University of British Columbia in Vancouver, found the vulnerabilities in the tracking app iSharing as part of an investigation into the security of location-tracking apps.
iSharing: A Popular Location-Tracking App with Millions of Users
iSharing is one of the more popular location-tracking apps, claiming more than 35 million users to date. However, Daigle’s research revealed that the app has some serious security issues.
Vulnerabilities in iSharing Allow Access to Precise User Location
The bugs allowed anyone using the app to access anyone else’s coordinates, even if the user wasn’t actively sharing their location data with anybody else. The bugs also exposed the user’s name, profile photo and the email address and phone number used to log in to the app.
How Daigle Discovered the Vulnerability
Daigle said the bugs allowed him to access anyone’s location data by creating a group on another user and joining it. He spent only an hour or so figuring out the form of the requests and seeing that creating a group on another user and joining it worked.
The Proof-of-Concept Script
From there, he spent a few more hours building a proof-of-concept script to demonstrate the security bug. Daigle described the vulnerabilities in more detail on his blog, stating that he plans to continue research in the stalkerware and location-tracking area.
iSharing’s Response
Daigle shared details of the vulnerability with iSharing some two weeks earlier but had not heard anything back. That’s when Daigle asked TechCrunch for help in contacting the app makers. iSharing fixed the bugs soon after or during the weekend of April 20-21.
iSharing’s Co-founder Yongjae Chuh Responds
"We are grateful to the researcher for discovering this issue so we could get ahead of it," iSharing co-founder Yongjae Chuh told TechCrunch in an email. "Our team is currently planning on working with security professionals to add any necessary security measures to make sure every user’s data is protected."
Chuh’s Explanation
iSharing blamed the vulnerability on a feature it calls groups, which allows users to share their location with other users. Chuh told TechCrunch that the company’s logs showed there was no evidence that the bugs were found prior to Daigle’s discovery.
The "Groups" Feature: A Potential Weak Point
Chuh conceded that there ‘may have been oversight on our end,’ because its servers were failing to check if users were allowed to join a group of other users. This feature, while intended for sharing location information with others, appears to be a potential weak point in the app’s security.
TechCrunch’s Investigation
We asked Daigle to demonstrate the vulnerability using an Android phone with the iSharing app installed and a new user account. He responded with our precise location data from iSharing’s servers, even though the app was not sharing our location with anybody else.
Conclusion
Daigle’s research highlights the need for developers of location-tracking apps to prioritize security. The vulnerabilities in iSharing’s code demonstrate how easy it can be for malicious actors to access users’ precise locations without their consent. As we reported earlier, this is not an isolated incident; other location-tracking apps have also been found to have similar security issues.
Recommendations
To mitigate the risks associated with location-tracking apps, developers should:
- Implement robust security measures to prevent unauthorized access to user location data
- Conduct regular security audits and vulnerability testing to identify potential weak points
- Work with security professionals to develop secure coding practices and protocols
Users can also take steps to protect themselves by choosing apps that prioritize security and being mindful of the permissions they grant to location-tracking apps.
Related Articles
- OpenAI is Losing Money on its Pricy ChatGPT Pro Plan, CEO Sam Altman Says
- Withings’ Omnia is a Full-Size Body-Scanning Health Mirror
- OpenAI is Turning its Attention to ‘Superintelligence’
Subscribe to TechCrunch
Stay up-to-date with the latest news and trends in the tech industry by subscribing to our newsletter.
By submitting your email, you agree to our Terms and Privacy Notice.
