LocationSmart Leaked Customers' Location Data Without Consent, User Authentication
Security researchers discovered and reported that an API vulnerability in LocationSmart’s free online demonstration tool could leak real-time location data of US telecommunication companies’ customers via mobile phone tracking. In relation, another company – Securus Technologies – was earlier reportedly breached by hackers who stole up to 2,800 credentials of law enforcement officers across the United States. The company was reportedly using LocationSmart’s service features to sell or give away data of mobile network subscribers to a Mississippi County sheriff's office.
LocationSmart’s website allowed potential customers to use a free demonstration tool online to track the approximate location of mobile devices by entering their name, email address, and phone number into a form. A text is sent to the phone number provided to request permission to ping the nearest cellular tower of major wireless carriers in the country for tracking and text the subscriber their estimated longitude and latitude via Google maps after providing consent.
However, Carnegie Mellon University PhD candidate Robert Xiao of the Human-Computer Interaction Institute reported that the service failed to check for basic authentication for anonymous and unauthorized requests. This means any other user who has the required basic information could easily search for a mobile number’s current location without providing any credentials. With his contacts’ consent, Xiao tested the query via the insecure API and was able to track his friends’ locations and directions while on the road within minutes. His contacts also sent feedback that the location coordinates were highly accurate, ranging from within a hundred yards of their real-time location to a little more than a mile.
Aside from making sure that their online apps and service features work, businesses should be concerned with securing their customers’ data and information. Likewise, individual mobile device owners should be concerned about the information they share online. Here are a few recommendations for ensuring online privacy and safety:
- Enable additional authentication measures for internal and external queries for information. While extra authentication methods are not foolproof, it is better to have an additional layer of security than none.
- Install patches and updates. Enterprises should regularly patch and update all systems to remove or reduce vulnerabilities that cybercriminals can exploit.
- Think before you post. Cybercriminals can easily browse social media to gain information about potential victims. Check your privacy settings and set to private all identifiable personal details.
- Check for app and software permissions. Refrain from approving permissions that take more information from users than required, and download apps and programs only from legitimate vendors.
Trend Micro’s Mobile Security solutions provide updated and 24/7 safety and security wherever you are. With an increasingly mobile workplace and workforce, it is now more important to protect sensitive information while they are on the go, leveraging the use of technology for increased productivity. Enterprises can achieve that balance for protection strategy while gaining visibility and control, streamlining and simplifying communications and management no matter where you are in the world.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: Trigona
- Steering Clear of Security Blind Spots: What SOCs Need to Know
- Understanding the Kubernetes Security Triad: Image Scanning, Admission Controllers, and Runtime Security
- Preempting Threats to Connected Cars: The Importance of Cybersecurity in a Data-Driven Automotive Ecosystem
- Your Stolen Data for Sale