LocationSmart is a company that provides location data to companies that can be used for things like tracking employees and mobile advertising. It offered a free demo on its website that allowed anyone to see the location of their phone by entering their name, email address, and phone number. LocationSmart would text the phone for permission to ping the phone’s nearest tower, and then the company would text the user with their approximate longitude and latitude.
However, security researcher Robert Xiao recently discovered a bug with the LocationSmart website that would allow anyone to track the location of any phone. Xiao found that LocationSmart site did not perform checks to block anonymous queries, and he was able to find the location of mobile phones without any password or anything else. In his testing, Xiao was able to track the location of a friend several times over several minutes, and another test gave Xiao coordinates for a location that was within 100 yards of the person’s location.
LocationSmart’s website includes mentions of all four major U.S. carriers as well as the likes of U.S. Cellular and Google.
The LocationSmart demo was taken offline shortly after the company was made aware of the bug this week. LocationSmart CEO Mario Proietti told KrebsOnSecurity that his company was investigating the issue, adding that LocationSmart makes data available “for legitimate and authorized purposes”. “We take privacy seriously and we’ll review all facts and look into them,” Proietti added.
Today the FCC said that it’s planning to investigate LocationSmart and its website flaw.
All of this news comes days after a similar location data incident. A company called Securus was obtaining location data from LocationSmart and, while Securus was primarily used to monitor phone calls to prison inmates, a former Mississippi County, Mo., sheriff used Securus to track the locations of other peoples’ cellphones without court orders.
When asked about these incidents, a T-Mobile spokesperson gave the following statement to FierceWireless:
“We take the privacy and security of our customers’ data very seriously. We have addressed issues that were identified with Securus and LocationSmart to ensure that such issues were resolved and our customers’ information remains is protected. We continue to investigate this.”