We normally consider family locator app as a blessing because we are able to track our family members conveniently through them. But, what if your private data collected or shared on such an app gets misused by cybercriminals because the app fails to secure it properly? It would instantly become a nuisance…no?
The same has happened in the case of Australian software house React Apps’ Family Locator app. According to security researcher Sanyam Jain’s latest findings, this app has so far leaked sensitive data including real-time location information of about 238,000 individuals.
The data exposure has been occurring for several weeks because of the fact that the database wasn’t properly configured to keep the data protected from landing into wrong hands.
The location data exposure is a real issue of concern here because the app has leaked people’s positions from the distance of a few feet and even displayed the names of geofenced areas that are particularly used to alert or notify family members.
Reportedly, the app’s developer didn’t secure the server with a password due to which the data leak occurred. For your information the app allows registered members to track their family members like spouse or children in real-time. With the app’s FollowMe feature, members are able to receive alerts about the current status of their family members such as whether the child has reached school or the spouse has reached the workplace, etc.
The main culprit behind such a massive data leakage is a poorly protected MongoDB database that was hosted on a Cloud server. The database was storing location data in an unencrypted format, so anyone who finds the database through services like Shodan can check the members’ real-time location as well as their profile photos, email IDs, full name, and login credentials including passwords.
This definitely puts members’ families at great risk since the geofenced locations data is also included in the leaked information.
Jain, who is associated with the GDI Foundation, notified TechCrunch about the unsecure database. TechCrunch has verified the information available on the database after downloading the app and registering with a fake email ID. As soon as the signing up process ended, their real-time location appeared on the database with exact location coordinates.
The company contacted one of the registered members chosen randomly and the user was naturally shocked by the findings. The unnamed user also confirmed that the location information about his workplace and his child’s school was completely accurate.
TechCrunch’s Zack Whittaker tried to contact React Apps but the company didn’t respond. TechCrunch then contacted the Australian Securities & Investments Commission to get the company’s business records that provided information about React App’s owner Sandip Mann Singh. However, the owner’s contact number wasn’t listed.
I've spent an entire day desperately trying to track down the developer of an app leaking a shit ton of highly sensitive location data of hundreds of thousands of users. Nothing has come up — literally nothing.
Not sure how to approach this one.
— Zack Whittaker (@zackwhittaker) March 22, 2019
Then TechCrunch informed Microsoft, the company responsible for hosting the MongoDB database on its Azure Cloud server. Microsoft tried to contact the developer after which the database was taken offline. It is currently unclear the duration for which the database remained exposed.
Finally, 2019-0034 is solved and with the help of @zackwhittaker , @0xDUDE the database has been taken offline. Thanks both of you. But I should say the company should take care of the data and such sensitive data shouldn't be left exposed.
— Sanyam J. (@HydroMercury) March 23, 2019