Last week, when security researchers said they could easily obtain precise location information from any of the millions of users of a widely used phone tracking app, we saw it for ourselves. I needed to.
Eric Daigle, a computer science and economics student at the University of British Columbia in Vancouver, discovered the vulnerability in the tracking app iSharing as part of his research into the security of location tracking apps. iSharing is one of the most popular location tracking apps and has over 35 million users so far.
Daigle said the bug allowed anyone using the app to access other people's coordinates, even if the user did not actively share their location data with others. . The bug also exposed the user's name, profile picture, email address and phone number used to log into the app.
This bug means that iSharing's servers do not properly check that app users can only access their own location data, or the location data of others that is shared with them.
Location-tracking apps, including stealthy “stalkerware” apps, have a history of security incidents where a user's precise location information is at risk of being compromised or exposed.
In this case, it took Daigle just a few seconds to spot this reporter from a few feet away. Using an Android smartphone with the iSharing app installed and a new user account, researchers were asked if the bug could be used to obtain precise location information.
“770 Broadway in Manhattan?” Daigle responded with the exact coordinates of the TechCrunch office in New York, where his phone was transmitting the location.
Even though the app doesn't share our location with anyone else, security researchers have extracted our precise location data from iSharing's servers. Image credit: TechCrunch (screenshot)
Daigle shared details of the vulnerability with iSharing about two weeks ago, but received no response. That's when Daigle asked TechCrunch for help reaching out to app makers. iSharing fixed the bug just after or during the weekend from April 20th to the 21st.
“We are grateful to the researchers who discovered this problem and were able to get ahead of it,” iSharing co-founder Yongjae Chuh told TechCrunch via email. “Our team is currently planning to work with security experts to add the necessary security measures to ensure the protection of all our users' data.”
iSharing blamed the vulnerability on a feature called Groups that allows users to share their location with other users. Chuh told TechCrunch that the company's logs show there was no evidence that the bug was discovered before Daigle's discovery. Chuh acknowledged that “there may have been an oversight on our part” because the company's servers were unable to check whether users were allowed to join other users' groups.
TechCrunch held off on publishing this article until Daigle confirmed the fix.
“It probably took us about an hour in total to find the first flaw, which included opening the app, understanding the format of the request, and verifying that creating and joining a group for another user worked. Daigle told TechCrunch.
From there, he spent several more hours building a proof-of-concept script to demonstrate the security bug.
Daigle explained the vulnerability in more detail on his blog and said he plans to continue his research in the areas of stalkerware and location tracking.
Read more on TechCrunch:
Contact this reporter via Signal and WhatsApp (+1 646-755-8849) or email. You can also send files and documents via SecureDrop.