{"id":14939,"date":"2019-03-27T09:10:09","date_gmt":"2019-03-27T17:10:09","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/03\/27\/news-8688\/"},"modified":"2019-03-27T09:10:09","modified_gmt":"2019-03-27T17:10:09","slug":"news-8688","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/03\/27\/news-8688\/","title":{"rendered":"Location data leaks from family tracking app database"},"content":{"rendered":"

Credit to Author: Christopher Boyd| Date: Wed, 27 Mar 2019 16:00:00 +0000<\/strong><\/p>\n

An app called Family Locator, which allows family members to keep track of one another recently experienced an exposed database issue<\/a>\u00a0of the worst kind. Specifically: the MongoDB database was left exposed with no password, like so many other recent infosec tales of woe. The end result is the location of about 280,000 users leaking in real time.<\/p>\n

For a location tracking app that also includes information about children, this is quite the error. Map views, family maps, and push notifications to let you know where everybody is all sound great\u2014until random people also potentially have access to it. This is the fate handed to Family Locator these past few days, although nobody knows how long the sensitive data has been exposed.<\/p>\n

What was leaked?<\/h3>\n

The Family Locator database records held names, email, plain text passwords, and photographs, along with coordinates tied to user-allocated names, such as office, home, and condo. As per the TechCrunch report, none of it was encrypted, a misstep repeated by Facebook last week.<\/p>\n

On a related note, the app\u2019s privacy policy is rather short and to the point:<\/p>\n

\n

What information do we collect and how we use it<\/em><\/strong><\/p>\n

Contact information:<\/em><\/strong><\/p>\n

When you create an account, we may collect your personal information such as your username, first and last name and email address.<\/em><\/p>\n

We may send important or promotional information about our products.<\/em><\/p>\n

Geolocation data:<\/em><\/strong><\/p>\n

We collect your location through GPS, WiFi, or phone network in order to provide our Service.<\/em><\/p>\n

Do we disclose any information to outside parties?<\/em><\/strong><\/p>\n

No. We do not sell, trade, or otherwise transfer to outside parties any of your personally identifiable information.<\/em><\/p>\n

\u00a0Changes to our privacy policy<\/em><\/strong><\/p>\n

We may update this policy at any time by posting changes on this page.<\/em><\/p>\n<\/blockquote>\n

It seems the most-urgently required change to the page is the addition of the word \u201cwhoops.\u201d<\/p>\n

Was there a real-world impact to this?<\/h3>\n

There absolutely was. After setting up a dummy account and verifying the accuracy of their coordinates against what was listed in the database, TechCrunch contacted one user randomly, who validated that their location exposed in the database was also correct, and that one of their family members using the app was their child.<\/p>\n

This is, frankly, terrible, especially as TechCrunch found numerous other parent\/child combinations in the database.<\/p>\n

Did it all go wrong at this point?<\/h3>\n

You bet it did. I\u2019ve reported hundreds of security fails down the years. I\u2019ve had data exposure issues fixed on image hosting websites, exploits on social networking portals patched up, data hauls taken offline, outbreaks on instant messaging platforms shut down, and much more besides.<\/p>\n

Many people working in infosec do the same thing, all the time. Security awareness, even for other developers, used to be pretty bad a decade or more ago\u2014it was pretty much throw a paper plane and hope something lands.<\/p>\n

Things are supposed to be much better now, right?<\/p>\n

In the case of Family Locator, they aren’t.<\/p>\n

What happened next sounds like one of my wild goose chases from yesteryear. No useful information could be found on the site\u2019s WHOIS record or privacy policy page (as you can see above), and zero contact information was listed on the website. TechCrunch bought business records to finally obtain a name tied to the business, but that still didn\u2019t get them any further.<\/p>\n

Microsoft, who host the MongoDB database in question, were contacted, and eventually it was taken offline. Presumably they contacted the app developer, but it seems they\u2019ve still not acknowledged their leaky database, either way.<\/p>\n

Are MongoDB breaches a thing?<\/h3>\n

Sadly, yes. MongoDB<\/a> is wonderful to deploy, but people seem to lose interest at the \u201clocking it down\u201d stage [1<\/a>], [2<\/a>], [3<\/a>]. Sometimes, it\u2019s deviations from default configurations causing the problem. Other times, nobody set a password. This is disappointing, given the security documentation<\/a> available to ensure everything on the server stays secure.<\/p>\n

What now?<\/h3>\n

If you\u2019re one of the app users caught up in these events, try not to panic. While the data was exposed, it\u2019s most likely to be abused by marketers and scrapers, and not so much hardened criminals. While this isn\u2019t exactly great, it\u2019s still better (and more probable) than \u201cdubious stalker character uses this data to lurk near my home.\u201d The chances of someone like that not only being able to find the data, but be close enough to your location to do something with it are remote.<\/p>\n

It\u2019s also a good reminder that we can\u2019t possibly predict how secure a service is when signing up to it.\u00a0 <\/span>The more access you give to your personal life, the more damage can be done should something go wrong afterwards. This may not be massively reassuring, but it\u2019s sadly where we\u2019re at. It\u2019s up to app developers to step up and do a better job of it.<\/p>\n

The post Location data leaks from family tracking app database<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Christopher Boyd| Date: Wed, 27 Mar 2019 16:00:00 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
An app called Family Locator exposed the personal information and locations of 280,000 users in real time, including children. How did this happen? And how can app developers avoid it in the future?<\/p>\n

Categories: <\/p>\n