Leaks of information in our time will not surprise anyone. But there are very unusual situations that are surprising by the very fact of their existence. Among such examples is a bug in the LocationSmart service, which made it possible to track mobile phone users of any US operators in real time.
The service itself is designed to track the phones of such operators as AT & T, Sprint, T-Mobile, or Verizon. Tracking accuracy is several tens of meters. Despite the fact that the service itself declares the legitimacy of its work, its demo version allows you to monitor the customers of US operators.
Generally speaking, in order to get started, registration is required, the
service does not give access to its functions without user verification. First you need to enter the name, email address and phone number in the web form. The service then requests access to the location of the specified phone for the nearest communications tower. As it turned out, the request can be modified and get full access to the service and its capabilities.
This was first
reported by Brian Krebs , a well-known specialist in information security. The problem was that the developers of the service did not include basic verification of the identity of the user who entered the data. Thus, almost anyone with a basic knowledge of how websites work can access the not-so-harmless LocationSmart features. And even the password or other authorization data was not needed.
“I was just taken aback when I saw how easy it was to get to the capabilities of the LocationSmart,” said another infosez specialist. “This is something that almost anyone can access, and with minimal effort. Then the user is given the opportunity to track the location of people who are connected to cell towers without their consent. ”
As it turned out, the service does give a request to connect to the nearest tower of a mobile operator. After that, you can enter the phone numbers of any people, and watch where they are going or going. Checking the coordinates at a certain interval, all this can be displayed on Google Maps for your own convenience and continue to monitor the movements of someone without any problems.
Information security specialists started writing about the problem when the demo version of the service was disabled. The work of the service turned out to be surprisingly accurate - the location of a person by the phone number of his mobile device was checked, everything turned out to be correct. Cybersecurity experts called five of their acquaintances, asking where they were at the moment, and with their permission they determined their location using LocationSmart.
One of the experts who investigated the problem,
published detailed information on the verification of the service.
LocationSmart developer Mario Proietti said that he hadn’t thought of using people’s data for any illegal purpose. “We made the information available by law. The service is based on conventional technology, nothing illegal. We respect the rights of people and are now considering all the facts discovered by experts, ”he says.
The service in question provides services to corporations. First of all, it is designed to monitor the work of employees of enterprises. And the problem is not with the service itself, but with its demo version, which was used to demonstrate the work of LocationSmart. Now, according to the developers, the problem has already been eliminated. Now there is a check of the updated version so that the problem does not recur.
Krebs is a well-known expert in the information security environment. In particular, he
helped reveal the identity of the operator of the botnet Mirai last year. Krebs himself was one of the first to suffer because of the work of the botnet. After the arrest, the operator reported that he did not work by himself, but carried out orders from third-party companies. Cybercriminal received a suspended sentence, which surprised many. Krebs has become even more famous than before. Perhaps, by the way, he would not have been investigating if the botnet operators would not have decided to “punish” the expert for his achievements in tracking the intruders.