LocationSmart Bug Provided Easy Access to Real-Time Location Data of Millions of Phones

Robert Xiao, a computer science student at Carnegie Mellon, recently discovered a vulnerability in LocationSmart's website that made the real-time location of millions of phones readily available to anyone with the knowhow.

phones
For background, LocationSmart is a company that collects location data of mobile customers from major carriers, including Verizon, AT&T, Sprint, and T-Mobile in the United States, and then sells it to other companies for a range of purposes, including compliance, cybersecurity, and proximity marketing.

Up until the vulnerability was discovered, LocationSmart offered a trial webpage that allowed anyone to enter their phone number, confirm the request via SMS or a phone call, and view their approximate real-time location.

locationsmart demo

LocationSmart's since-removed trial page via Krebs on Security

The problem, as Xiao discovered, was that the webpage had a bug that allowed anyone with the technical skills to bypass the phone number verification process and view the real-time location of any subscriber to most major carriers in the United States, in addition to Bell, Rogers, and Telus in Canada.

In a blog post, Xiao said the bug essentially involves requesting the location data in JSON format, instead of the default XML format:

If you make the same request with requesttype=locreq.json, you get the full location data, without receiving consent. This is the heart of the bug. Essentially, this requests the location data in JSON format, instead of the default XML format. For some reason, this also suppresses the consent (“subscription”) check.

Upon discovering the vulnerability, Xiao immediately contacted the US-CERT to coordinate disclosure, and shared details with Brian Krebs, who published a story with further details on his blog Krebs on Security.

Xiao told Krebs that he was able to obtain the approximate longitude and latitude of five different people who agreed to be tracked, coming within 100 yards and 1.5 miles of their then-current locations, all in a matter of seconds. LocationSmart plotted the coordinates on a Google Street View map.

"I stumbled upon this almost by accident, and it wasn't terribly hard to do," Xiao said. "This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples’ cell phone without their consent."

Xiao said his tests showed he could reliably query LocationSmart's service to ping the cell phone tower closest to a subscriber's mobile device. Xiao said he checked the mobile number of a friend several times over a few minutes while that friend was moving. By pinging the friend's mobile network multiple times over several minutes, he was then able to plug the coordinates into Google Maps and track the friend’s directional movement.

It's not clear exactly how long LocationSmart has offered its trial service or how long it has been vulnerable. Krebs linked to an archived version of the website that suggests it dates back to at least January 2017.

When reached for comment via phone, LocationSmart's founder and CEO Mario Proietti told Krebs that the company was investigating.

"We don't give away data," Proietti said. "We make it available for legitimate and authorized purposes. It's based on legitimate and authorized use of location data that only takes place on consent. We take privacy seriously and we’ll review all facts and look into them."

A spokesperson for AT&T told Krebs that the carrier "does not permit the sharing of location information without customer consent or a demand from law enforcement," while Verizon, Sprint, and T-Mobile all pointed towards their privacy policies.

LocationSmart was already in the news prior to this relevation. The New York Times last week reported that Cory Hutcheson, a former Missouri sheriff, was charged with using a private service called Securus, which obtained data from LocationSmart, to track people's phones without court orders.

Those headlines are what prompted Xiao to poke around LocationSmart's website and ultimately discover this vulnerability. However, while the page has been taken down, it's unclear what steps will be taken next if any. At least one U.S. senator has urged the FCC to enforce stricter privacy laws on carriers.

More Coverage: A bug in cell phone tracking firm's website leaked millions of Americans' real-time locations by ZDNet's Zack Whittaker

Update: The FCC's Enforcement Bureau has confirmed it will investigate LocationSmart, according to CNET.

Popular Stories

iPhone 17 Pro Dual Tone Feature 1

iPhone 17 Pro Launching Later This Year With These 8 New Features

Thursday January 9, 2025 5:45 am PST by
While the iPhone 17 Pro and iPhone 17 Pro Max are not expected to launch until September, there are already plenty of rumors about the devices. iPhone 17 Pro concept based on rumors Below, we recap key changes rumored for the iPhone 17 Pro models as of January 2025: More aluminum: iPhone 17 Pro models are rumored to have an aluminum frame, whereas the iPhone 15 Pro and iPhone 16 Pro models ...
airpods pro 2 botw

Hearing a Mysterious Chime From Your AirPods Pro Case? It's a Feature

Thursday January 9, 2025 3:42 pm PST by
If you've been hearing a chiming sound from your AirPods Pro 2 case when the AirPods are charging, it's a feature that Apple added with the launch of Hearing Health last year. In a support guide, Apple says that the AirPods Pro may play a sound every so often while in the case to ensure the microphones and speakers are working as intended. From Apple: To help ensure that your AirPods...
iPhone 17 Pro Dual Tone Horizontal 1

iPhone 17 Pro Main Camera Sensor 'Smaller' Than iPhone 16 Pro Sensor

Friday January 10, 2025 3:14 am PST by
This year's iPhone 17 Pro models will feature a smaller main camera sensor than the one used in the Fusion camera currently found in iPhone 16 Pro models, according to Weibo-based leaker Digital Chat Station. The Chinese leaker claims that Apple will adopt a 1/1.3" sensor for the 48MP main camera in the iPhone 17 Pro and iPhone 17 Pro Max, down from the 1/1.28" sensor used in the iPhone 16...
se 4 for 2025

When to Expect the iPhone SE 4 or So-Called 'iPhone 16E' to Launch

Friday January 10, 2025 9:20 am PST by
Apple is widely rumored to be planning a new iPhone SE, and multiple sources lately have commented on the device's launch timing. The latest word comes from Apple supply chain analyst Ming-Chi Kuo. In a blog post today, he said the device will be released around the middle of the first half of 2025. In other words, around the quarter mark of 2025. That means the next iPhone SE will likely be ...
HomePod mini and Apple TV

HomePod Mini 2 and New Apple TV Launch Timeframe Narrowed Down

Sunday January 12, 2025 4:11 pm PST by
Bloomberg's Mark Gurman recently reported that Apple plans to release new HomePod mini and Apple TV models this year, and now he has provided a more precise timeframe. In his Power On newsletter today, Gurman said Apple is currently aiming to launch the new HomePod mini and Apple TV models "toward the end of the year." That timeframe suggests the devices will be released at some point...
AppleEventLogoFeature

Apple Focusing on These Eight New Low-Cost Devices in 2025

Saturday January 11, 2025 1:00 am PST by
Apple's slate of 2025 products look to be dominated by a large number of low-cost and entry-level devices. Here's what to expect. With advancements like Apple Intelligence and all-new in-house chip designs, Apple is reportedly looking to enhance many of its budget-friendly offerings, ensuring they remain competitive in an increasingly crowded market. These updates also indicate a slight...
HomePod mini and Apple TV

New Apple TV and HomePod Mini Launching This Year With One Thing in Common

Wednesday January 8, 2025 6:18 am PST by
It was recently reported that new Apple TV and new HomePod mini models will launch this year, and the devices are expected to have one thing in common. Bloomberg's Mark Gurman last month reported that the new Apple TV and the new HomePod mini will be equipped with Apple's own combined Wi-Fi and Bluetooth chip. Gurman said the chip supports Wi-Fi 6E, so that could end up being a key upgrade...
M6 MacBook Pro Feature 1

5 Reasons to Wait for Next Year's MacBook Pro

Wednesday January 8, 2025 6:33 am PST by
Apple in October 2024 overhauled its 14-inch and 16-inch MacBook Pro models, adding M4, M4 Pro, and M4 Max chips, Thunderbolt 5 ports on higher-end models, display changes, and more. That's quite a lot of updates in one go, but if you think this means a further major refresh for the MacBook Pro is now several years away, think again. Bloomberg's Mark Gurman has said he expects only a small...

Top Rated Comments

slimtastic Avatar
87 months ago
How on earth is this company gathering location data on everyone from each carrier? The carriers are really sharing this info with third-parties? Or am I missing something here? I was under the impression this was illegal.
Score: 12 Votes (Like | Disagree)
coolfactor Avatar
87 months ago
As a web software engineer, I'm always watchful for how requests to a server could be abused, and take a security-first approach. My software has multiple layers of checks and balances before a request for a resource is satisfied.

This company hired the wrong developer.
[doublepost=1526665215][/doublepost]
So to get this clear, its not a bug in the iPhone, but in a 3rd parties 3rd party service ?
That's correct.
Score: 12 Votes (Like | Disagree)
WannaGoMac Avatar
87 months ago
How are carriers allowed to just give my real time location to a 3rd party? Where can I remove my consent??
Score: 10 Votes (Like | Disagree)
Tech198 Avatar
87 months ago
There's a company like this..??
Score: 10 Votes (Like | Disagree)
Martin Bland Avatar
87 months ago
The question everyone should be asking is why do carriers think it is ok to sell customer location data. Where is the carrier contract fine print that allows this?

One more reason I would switch to an Apple mobile service. In a heartbeat.
Score: 9 Votes (Like | Disagree)
m4mario Avatar
87 months ago
What non sense? How can carriers share my location data? Or even think its ok to track it for themselves.
Score: 5 Votes (Like | Disagree)