A popular family tracking app was leaking the real-time locations of more than 238,000 users for weeks after the developer left a server exposed without a password.
The app, Family Locator, built by Australia-based software house React Apps, allows families to track each other in real-time, such as spouses or parents wanting to know where their children are. It also lets users set up geofenced alerts to send a notification when a family member enters or leaves a certain location, such as school or work.
Backend - MongoDB - Database - Anyone
But the backend MongoDB database was left unprotected and accessible by anyone who knew where to look.
Sanyam Jain, a security researcher and a member of the GDI Foundation, found the database and reported the findings to TechCrunch.
Review - Database - Account - Record - User
Based on a review of the database, each account record contained a user’s name, email address, profile photo and their plaintext passwords. Each account also kept a record of their own and other family members’ real-time locations precise to just a few feet. Any user who had a geofence set up also had those coordinates stored in the database, along with what the user called them — such as “home” or “work.”
None of the data was encrypted.
TechCrunch - Contents - Database - App - Email
TechCrunch verified the contents of the database by downloading the app and signing up using a dummy email address. Within seconds,...
Wake Up To Breaking News!
"Tyranny sincerely exercised for the good of its victims may be the most oppressive." C.S. Lewis