Last week when A security researcher said he could easily get the exact location of any of the millions of users of a widely used phone tracking app, we had to see for ourselves.
Eric Daigle, a computer science and economics student at the University of British Columbia in Vancouver, found the vulnerabilities in the iSharing tracking app as part of an investigation into the security of location tracking apps. iSharing is one of the most popular location tracking apps, with more than 35 million users to date.
Daigle said the bugs allowed anyone using the app to access anyone else’s coordinates, even if the user wasn’t actively sharing their location data with anyone else. The bugs also exposed the user’s name, profile photo, and the email address and phone number used to log into the app.
The bugs meant that iSharing’s servers weren’t properly checking that users of the app only had access to their location data or someone else’s location data that was shared with them.
Location-tracking apps — including rogue “stalkerware” apps — have a history of security mishaps that risk leaking or revealing users’ exact location.
In this case, it only took Daigle a few seconds to spot this reporter a few feet away. Using an Android phone with the iSharing app installed and a new user account, we asked the researcher if he could find our exact location using the bugs.
“770 Broadway in Manhattan?” Daigle replied, along with the exact coordinates of TechCrunch’s New York office where the phone was pinging its location.
The security researcher pulled our exact location data from iSharing’s servers, even though the app wasn’t sharing our location with anyone else. Image Credits: TechCrunch (screenshot)
Daigle shared details of the vulnerability with iSharing about two weeks earlier, but hadn’t heard back. That’s when Daigle asked TechCrunch for help contacting app makers. iSharing fixed the bugs shortly after or during the weekend of April 20-21.
“We are grateful to the researcher who discovered this issue so we could catch it,” iSharing co-founder Yongjae Chuh said in an email to TechCrunch. “Our team is currently planning to work with security professionals to add all necessary security measures to ensure that each user’s data is protected.”
iSharing blamed the vulnerability on a feature it calls groups, which allows users to share their location with other users. Chuh told TechCrunch that the company’s logs showed there was no evidence that the bugs were detected before Daigle’s discovery. Chuh admitted that “there may have been an oversight on our part” because its servers failed to check whether users were allowed to join a group of other users.
TechCrunch withheld publication of this story until Daigle confirmed the fix.
“Finding the original flaw in total probably took an hour or so from opening the app, logging the format of the requests, and seeing that creating a group on another user and joining it worked,” Daigle told TechCrunch.
From there, he spent a few more hours creating a proof-of-concept script to demonstrate the security flaw.
Daigle, who described the vulnerabilities more details on his blogsaid he plans to continue research in the area of stalkerware and location tracking.
Read more at TechCrunch:
To contact this reporter, contact on Signal and WhatsApp at +1 646-755-8849 or via email. You can also send files and documents via SecureDrop.
