Phone tracking app with millions of users has a major security flaw that can expose precise locations
iSharing was leaking sensitive data on millions of people
A popular phone tracking app was found to be leaking sensitive data on millions of its users.
A security researcher named Eric Daigle discovered the flaw in iSharing, a mobile app for device tracking with more than 10 million downloads on the Google Play Store, alone.
By abusing the vulnerability, Daigle was able to obtain every user’s exact coordinates, even if those users weren’t actively sharing their location with anyone else.
Improving security
While knowing someone’s precise location is a major security risk on its own, iSharing’s woes didn’t stop there. Daigle was also able to uncover users’ names, profile photos, and even phone numbers and email addresses used to log into the app.
This is more than enough information for someone who will stake a house and wait for its owner to leave, before breaking in.
Daigle goes in-depth on the findings on his blog, which you can read here. The gist of it is that iSharing’s servers were doing a poor job checking who was allowed to access whose location data.
The researcher stumbled upon the flaw during a wider investigation into the security of location-tracking mobile applications. He reached out to the developers which allegedly did not return the call. After that, he sought the help from TechCrunch who were the ones to break the news, too.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“We are grateful to the researcher for discovering this issue so we could get ahead of it,” iSharing co-founder Yongjae Chuh told TechCrunch in an email. “Our team is currently planning on working with security professionals to add any necessary security measures to make sure every user’s data is protected.”
The company later confirmed that a feature in the app, called groups, was flawed. The good news is that there is no evidence of anyone discovering the vulnerability before Daigle. A fix has since been deployed.
More from TechRadar Pro
- Hackers could track you across the globe due to this worrying smartphone security flaw
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.