LocationSmart Bug Provided Easy Access to Real-Time Location Data of Millions of Phones

Robert Xiao, a computer science student at Carnegie Mellon, recently discovered a vulnerability in LocationSmart's website that made the real-time location of millions of phones readily available to anyone with the knowhow.

phones
For background, LocationSmart is a company that collects location data of mobile customers from major carriers, including Verizon, AT&T, Sprint, and T-Mobile in the United States, and then sells it to other companies for a range of purposes, including compliance, cybersecurity, and proximity marketing.

Up until the vulnerability was discovered, LocationSmart offered a trial webpage that allowed anyone to enter their phone number, confirm the request via SMS or a phone call, and view their approximate real-time location.

locationsmart demo

LocationSmart's since-removed trial page via Krebs on Security

The problem, as Xiao discovered, was that the webpage had a bug that allowed anyone with the technical skills to bypass the phone number verification process and view the real-time location of any subscriber to most major carriers in the United States, in addition to Bell, Rogers, and Telus in Canada.

In a blog post, Xiao said the bug essentially involves requesting the location data in JSON format, instead of the default XML format:

If you make the same request with requesttype=locreq.json, you get the full location data, without receiving consent. This is the heart of the bug. Essentially, this requests the location data in JSON format, instead of the default XML format. For some reason, this also suppresses the consent (“subscription”) check.

Upon discovering the vulnerability, Xiao immediately contacted the US-CERT to coordinate disclosure, and shared details with Brian Krebs, who published a story with further details on his blog Krebs on Security.

Xiao told Krebs that he was able to obtain the approximate longitude and latitude of five different people who agreed to be tracked, coming within 100 yards and 1.5 miles of their then-current locations, all in a matter of seconds. LocationSmart plotted the coordinates on a Google Street View map.

"I stumbled upon this almost by accident, and it wasn't terribly hard to do," Xiao said. "This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples’ cell phone without their consent."

Xiao said his tests showed he could reliably query LocationSmart's service to ping the cell phone tower closest to a subscriber's mobile device. Xiao said he checked the mobile number of a friend several times over a few minutes while that friend was moving. By pinging the friend's mobile network multiple times over several minutes, he was then able to plug the coordinates into Google Maps and track the friend’s directional movement.

It's not clear exactly how long LocationSmart has offered its trial service or how long it has been vulnerable. Krebs linked to an archived version of the website that suggests it dates back to at least January 2017.

When reached for comment via phone, LocationSmart's founder and CEO Mario Proietti told Krebs that the company was investigating.

"We don't give away data," Proietti said. "We make it available for legitimate and authorized purposes. It's based on legitimate and authorized use of location data that only takes place on consent. We take privacy seriously and we’ll review all facts and look into them."

A spokesperson for AT&T told Krebs that the carrier "does not permit the sharing of location information without customer consent or a demand from law enforcement," while Verizon, Sprint, and T-Mobile all pointed towards their privacy policies.

LocationSmart was already in the news prior to this relevation. The New York Times last week reported that Cory Hutcheson, a former Missouri sheriff, was charged with using a private service called Securus, which obtained data from LocationSmart, to track people's phones without court orders.

Those headlines are what prompted Xiao to poke around LocationSmart's website and ultimately discover this vulnerability. However, while the page has been taken down, it's unclear what steps will be taken next if any. At least one U.S. senator has urged the FCC to enforce stricter privacy laws on carriers.

More Coverage: A bug in cell phone tracking firm's website leaked millions of Americans' real-time locations by ZDNet's Zack Whittaker

Update: The FCC's Enforcement Bureau has confirmed it will investigate LocationSmart, according to CNET.

Popular Stories

iOS 18 Siri Integrated Feature

Report: These 10 New AI Features Are Coming in iOS 18

Sunday May 26, 2024 12:57 pm PDT by
iOS 18 and macOS 15 will offer an array of new AI features such as auto-generated emojis, suggested replies to emails and messages, and more, Bloomberg's Mark Gurman reports. A significant portion of Apple's Worldwide Developers Conference (WWDC) is expected to focus on AI features. Writing his latest "Power On" newsletter, Gurman explained that Apple's AI strategy emphasizes providing...
new best buy blue

Best Buy's Memorial Day Sale Has Record Low Prices on iPads, MacBooks, and Much More

Friday May 24, 2024 7:12 am PDT by
Best Buy today kicked off its Memorial Day weekend sale, and it has some of the best prices we've tracked in weeks on iPads and MacBooks. Specifically, you'll find record low prices on the 5th generation iPad Air, iPad mini 6, M2 MacBook Air, and M3 MacBook Pro. Note: MacRumors is an affiliate partner with Best Buy. When you click a link and make a purchase, we may receive a small payment,...
iOS 18 WWDC 24 Feature 2

Gurman: iOS 18 Will Allow Users to Recolor App Icons and Place Them Anywhere

Sunday May 26, 2024 12:22 pm PDT by
Apple's iOS 18 update will introduce new features for further customizing the iPhone's home screen, according to Bloomberg's Mark Gurman. In the latest edition of his "Power On" newsletter, Gurman claimed that Apple will allow users to change the color of app icons in iOS 18. For example, "you can make all your social icons blue or finance-related ones green." This kind of home screen...
Apple iPhone 14 color lineup feature

Apple Now Selling Refurbished iPhone 14 Models

Friday May 24, 2024 11:15 am PDT by
Apple today added refurbished iPhone 14, iPhone 14 Plus, iPhone 14 Pro, and iPhone 14 Pro Max devices to its online store for refurbished products, offering the prior-generation iPhones at a discount for the first time since their 2022 launch. The iPhone 14 is available starting at $619, the iPhone 14 Pro is available starting at $759, and the iPhone 14 Pro Max is available starting at $849. ...
top stories 25may2024

Top Stories: iOS 17.5.1 Fixes Concerning Photos Bug, All-New iPhone 17 Model Rumored, and More

Saturday May 25, 2024 6:00 am PDT by
It's been quite a week of Apple news and rumors, ranging from a concerning bug with deleted photos reappearing on users' devices to hot rumors about a new high-end iPhone model for 2025 and a MacBook with a foldable screen coming as soon as 2026. Other news and rumors this week included fresh expectations for iOS 18 features and new headphones from Sonos to compete head-to-head with AirPods...

Top Rated Comments

slimtastic Avatar
79 months ago
How on earth is this company gathering location data on everyone from each carrier? The carriers are really sharing this info with third-parties? Or am I missing something here? I was under the impression this was illegal.
Score: 12 Votes (Like | Disagree)
coolfactor Avatar
79 months ago
As a web software engineer, I'm always watchful for how requests to a server could be abused, and take a security-first approach. My software has multiple layers of checks and balances before a request for a resource is satisfied.

This company hired the wrong developer.
[doublepost=1526665215][/doublepost]
So to get this clear, its not a bug in the iPhone, but in a 3rd parties 3rd party service ?
That's correct.
Score: 12 Votes (Like | Disagree)
WannaGoMac Avatar
79 months ago
How are carriers allowed to just give my real time location to a 3rd party? Where can I remove my consent??
Score: 10 Votes (Like | Disagree)
Tech198 Avatar
79 months ago
There's a company like this..??
Score: 10 Votes (Like | Disagree)
Martin Bland Avatar
79 months ago
The question everyone should be asking is why do carriers think it is ok to sell customer location data. Where is the carrier contract fine print that allows this?

One more reason I would switch to an Apple mobile service. In a heartbeat.
Score: 9 Votes (Like | Disagree)
m4mario Avatar
79 months ago
What non sense? How can carriers share my location data? Or even think its ok to track it for themselves.
Score: 5 Votes (Like | Disagree)