Real-time locations of 238,000 Family Locator app users exposed
Threats / Real-time locations of 238,000 Family Locator app users exposed via unsecured server
26 March 2019
Real-time locations of as many as 238,000 users of the Family Locator app were left exposed for external access after React Apps, the Australia-based software firm that developed the app, left a backend MongoDB database exposed without securing it with a password.
The popular Family Locator app allows its users to track real-time locations of their loved ones, whether their loved ones are at school, at work, leaving their places of work, visiting an unknown place, and so on. At any point of time, a Family Locator app user can track real-time locations of up to ten family members on the app and receive instant notifications about the locations of their loved ones as well.
Locations of Family Locator app users stored in unprotected MongoDB database
Recently, security researcher Satyam Jain stumbled upon the exposed MongoDB database belonging to React Apps and alerted TechCrunch about his findings. Upon reviewing the database, TechCrunch noted that none of the data in the database was encrypted, that “each account record contained a user’s name, email address, profile photo and their plaintext passwords”.
TechCrunch also found that that “each account also kept a record of their own and other family members’ real-time locations precise to just a few feet”, and that “each user who had a geofence set up also had those coordinates stored in the database, along with what the user called them — such as “home” or “work.”
The tech news website also independently confirmed with a Family Locator app user that locations and other details stored on the upprotected MongoDB database were indeed accurate. “Several other records we reviewed also included the real-time locations of parents and their children,” it added.
Even though leaving a database unprotected for anyone to access could in certain cases be an honest mistake or an employee error, what was worse was that Tech Crunch was unable to contact React Apps, was unable to obtain the owner’s email address to communicate information about the unprotected database, and several messages left via the company’s feedback form went unanswered. Finally, the database was pulled offline after TechCrunch asked Microsoft, which hosted the database on its Azure cloud, to contact React Apps.
Organisations must upgrade their security tools & practices
“It is increasingly common for security breaches to be simply the result of a well-meaning insider or simply a human error with a lack of process. Where this occurs, organisations should be reviewing their ability to capture and address instances such as this which may fall outside the security tools they currently deploy,” said Robert Ramsden-Board, VP of EMEA at Securonix.
“Traditional security solutions which consider a discrete rules-based set of criteria for what is acceptable and not are no longer enough. Forward-thinking companies across all areas of business now recognise they must also embrace behavioural analytics to expose areas of risk which legacy SIEM and other security technologies that focus on single use cases cannot cover,” he added.
“For consumers, there is the very real need to weigh up the benefits versus the risks of tracking services, or any app for that matter, when sharing personally identifiable information. Consider carefully whether the app is from a credible company, and available from a reputable online store. If you do use this type of app, make sure it is locked down – for example ensure that you only share data when the app is open,” says Gavin Millard, VP of intelligence at Tenable.
“For developers, it’s critical that they ensure security is baked in from the initial design. For example: robust password management; encryption; good configuration of any cloud services leveraged; etc. The time of the unprotected MongoDB database or the open S3 bucket needs to end,” he adds.