Family app gave the location of users

A popular app for tracking location of family members within a few weeks reported on the whereabouts of more than 238,000 users in real time after the developer has left the server open without a password.

Family Locator, developed by an Australian company React Apps, allows family members to track each other in real time, e.g., spouses or parents wishing to know where their children are. It also allows users to customize alerts geozones to send notifications when a family member enters the zone or, on the contrary, leaving her, for example, school or work.

But the internal database MongoDB is left unprotected and available to any who knew where to look. Sanam Jane (Sanyam Jain), a researcher in the field of security and member of the GDI Foundation, found is available to all database and reported in the publication TechCrunch.

After studying the database edition to find out that every account in it contained a user name, email address, profile photo and unencrypted password. In addition, each uchetku contained information about the location of other family members in real time with an accuracy of several meters. Any user who had an account in this app could save coordinates of the other, as well as places that were designated by users as “Home” or “Work.” All of this data is generally not encrypted.

TechCrunch checked the contents of the database, installing the application and registering it using fictitious e-mail address. After a few seconds the location of the user in real time appeared in the form of precise coordinates in the database. Then the representatives of the publications contacted one of the users of the application though he was surprised, confirmed that all information about him which is in the database is accurate, and even its coordinates at the moment. Also, this user said that a family member whose coordinates are also there in the database is his child, and the coordinates of the point at school where he is now. This is not the only user who contacted TechCrunch and made sure that all the data in the database coincide with the real.

TechCrunch a week tried to contact the developer React Apps, but to no avail. On the company website lacks any contact information, as well as privacy policy. From the WHOIS record, which contains information about the owner of the site, was used to activate the privacy masking e-mail address of the owner. TechCrunch even bought the record company from the Australian securities and investments only in order to know the name of the owner of the company – Sandeep Singh Mann (Mann Sandip Singh), but without contact information. Then sent several messages through the feedback form of the company but have not received confirmation.

On Friday, TechCrunch asked Microsoft, which has placed the database in the Azure cloud, to contact the developer. After a few hours the database has been permanently disabled. It is not known exactly how long was available as a database. Singh still did not recognize the data leak.

Share your opinion in the comments under this material in our Telegram chat.

Leave a Reply

Your email address will not be published. Required fields are marked *