Last week, when A security researcher said he could easily get the exact location of any of the millions of users of a widely used phone tracking app, we had to see for ourselves.
Eric Daigle, a computer science and business student at the University of British Columbia in Vancouver, discovered the vulnerabilities in the tracking app iSharing as part of an investigation into the security of location tracking apps. iSharing is one of the most popular location tracking apps and has more than 35 million users to date.
Daigle said the flaws allowed anyone using the app to access other people’s coordinates, even if the user wasn’t actively sharing their location data with others. The errors also exposed the user’s name, profile photo, and email address and phone number used to log in to the app.
The errors resulted in iSharing’s servers not properly verifying whether app users were only allowed to access their location data or someone else’s location data shared with them.
Location tracking apps – including stealthy “stalkerware” apps – have a history of security flaws that can result in the user’s exact location being lost or revealed.
In this case, it took Daigle just a few seconds to locate this reporter within a few meters. Using an Android phone with the iSharing app installed and a new user account, we asked the researcher if he could use the bugs to determine our exact location.
“770 Broadway in Manhattan?” Daigle replied, along with the exact coordinates of the TechCrunch office in New York from which the phone pinged his location.
The security researcher retrieved our precise location data from iSharing’s servers, even though the app did not share our location with others. Photo credit: TechCrunch (screenshot)
Daigle shared details of the security breach with iSharing about two weeks earlier, but had received no response. At that point, Daigle asked TechCrunch for help contacting the app makers. iSharing fixed the bugs shortly after or during the April 20-21 weekend.
“We are grateful to the researcher for discovering this issue so we can get ahead of it,” iSharing co-founder Yongjae Chuh said in an email to TechCrunch. “Our team currently plans to work with security experts to take all necessary security measures to ensure that every user’s data is protected.”
iSharing attributed the vulnerability to a feature called “Groups,” which allows users to share their location with other users. Chuh told TechCrunch that the company’s logs showed there was no evidence the bugs were found before Daigle’s discovery. Chuh acknowledged that “there may have been an oversight on our part” because the servers did not check whether users were allowed to join a group of other users.
TechCrunch withheld publishing this story until Daigle confirmed the solution.
“Finding the initial bug probably took about an hour in total after I opened the app, figured out the form of the requests, and discovered that creating a group for another user and joining it worked,” Daigle told TechCrunch.
From there, he spent a few more hours creating a proof of concept script to demonstrate the security flaw.
Daigle, who described the vulnerabilities in more detail on his blog, said he plans to continue research into stalkerware and location tracking.
Read more on TechCrunch:
To contact this reporter, contact us via Signal and WhatsApp at +1 646-755-8849 or email. You can also send files and documents via SecureDrop.