Last week, a security researcher claimed he could easily access precise locations from millions of users of a popular phone-tracking app. To verify this claim, we conducted our own investigation.
Eric Daigle, a student at the University of British Columbia in Vancouver, discovered vulnerabilities in the iSharing tracking app while researching the security of location-tracking apps. iSharing, with over 35 million users, is among the most widely used location tracking apps.
According to Daigle, the bugs in the app allowed unauthorized access to a user’s coordinates, even if they were not actively sharing location data. Additionally, the bugs exposed personal information such as name, profile photo, email address, and phone number used for login.
The vulnerabilities in iSharing’s servers allowed users to access location data without proper authorization protocols in place.
Location tracking apps, including “stalkerware” apps, have a history of security issues that could compromise user privacy.
During our test, Daigle was able to locate our reporter’s precise location within seconds, demonstrating the severity of the vulnerabilities in the iSharing app.
The security researcher pulled our precise location data from iSharing’s servers, even though the app was not sharing our location with anybody else. Image Credits: TechCrunch (screenshot)
iSharing was informed of the vulnerabilities two weeks prior but did not respond until TechCrunch intervened. The bugs were then fixed around April 20-21.
iSharing’s co-founder acknowledged the issue and stated plans to enhance security measures with the help of cybersecurity professionals.
The vulnerability was attributed to a feature called groups in the app, which allowed users to share locations. However, the company admitted to oversight in not properly securing user data.
Daigle confirmed the fix before this story was published after spending time identifying and reporting the flaw.
He detailed the vulnerabilities further on his blog and expressed intentions to continue researching stalkerware and location tracking.
Read more on TechCrunch:
To contact this reporter, get in touch on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.
