Great Moto G Stylus deal on Amazon!
Last chance to snatch the perfect Mother's Day gift at a discount and get it in time for her holiday!
Last chance to snatch the perfect Mother's Day gift at a discount and get it in time for her holiday!

Flaw in webpage demo could have allowed anyone to track cellphones on major U.S. providers

By
1comment
Flaw in webpage demo could have allowed anyone to track cellphones on major U.S. providers
A company based in San Diego, LocationSmart of Carlsbad, collects real-time data on wireless mobile devices. A computer science student said in a report published today, that a flaw in the company's website could have revealed to anyone, the real-time location of any cellphone running on Verizon, AT&T, T-Mobile or Sprint. The information would have been accurate to within a few hundred yards.

If your first thought is, what purpose do companies like LocationSmart serve, they sell location data to companies that want/need to track their employees. Another part of the business sends text messages about sales and discounts offered by a particular store, to cellphone users who happen to be near, or inside that store. LocationSmart's website lists clients like AAA, FedEx, and Allstate.

If this story sounds familiar, it's because last week we told you about Securus Technologies, a company that was used by a small-town sheriff to track cellphones belonging to the State Highway Patrol between 2014 and 2017 without the use of a warrant. And there is a connection between the two stories; according to Sen. Ron Wyden (D-Ore.), Securus obtained its data from a company called 3Cinterative, which is a customer of LocationSmart.

This past Wednesday, Carnegie Mellon University computer science student Robert Xiao found the flaw in LocationSmart's website. According to Xiao, the bug "allowed anyone, anywhere in the world, to look up the location of a U.S. cellphone. I could punch in any 10-digit phone number, and I could get anyone's location." The site was supposed to allow consumers to test out LocationSmart's service by allowing them to type in their own cell number, and after giving consent via a call or text, see their location (again, within a few hundred yards).

A flaw in LocationSmart's demo platform could have allowed anyone to track any cellphone running on Verizon, AT&T, T-Mobile or Sprint - Flaw in webpage demo could have allowed anyone to track cellphones on major U.S. providers
A flaw in LocationSmart's demo platform could have allowed anyone to track any cellphone running on Verizon, AT&T, T-Mobile or Sprint

Xiao discovered the flaw in LocationSmart's website in 15 minutes. The bug allowed him to bypass consent, which in theory would allow him to find the location of any phone using one of the four major wireless carriers in the states. And even scarier was his pronouncement that "It would not take anyone with sufficient technical knowledge much time to find this."

Verizon spokesman Rich Young said that Securus no longer has access to Verizon customers, and added that Verizon is scrutinizing its relationship with LocationSmart. AT&T and Sprint each said that they do not allow third party companies to track subscribers without a consent, a court order or a warrant.

Thanks to Xiao's discovery, LocationSmart took down the flawed page on its website Thursday. The site contained a statement which states that the vulnerability of the "consent mechanism" on its online demo has been resolved and was not exploited prior to May 16th. LocationSmart says that no customer information was obtained without permission and adds that the demo has been disabled. You can find the full statement below.

"LocationSmart provides an enterprise mobility platform that strives to bring secure operational efficiencies to enterprise customers. All disclosure of location data through LocationSmart’s platform relies on consent first being received from the individual subscriber. The vulnerability of the consent mechanism recently identified by Mr. Robert Xiao, a cybersecurity researcher, on our online demo has been resolved and the demo has been disabled. We have further confirmed that the vulnerability was not exploited prior to May 16th and did not result in any customer information being obtained without their permission. On that day as many as two dozen subscribers were located by Mr. Xiao through his exploitation of the vulnerability. Based on Mr. Xiao’s public statements, we understand that those subscribers were located only after Mr. Xiao personally obtained their consent. LocationSmart is continuing its efforts to verify that not a single subscriber’s location was accessed without their consent and that no other vulnerabilities exist. LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process."-LocationSmart

source: LATimes
https://m-cdn.phonearena.com/images/users/39-200/Alan-F.jpg
Alan Friedman Mobile Tech News Journalist
Alan, an ardent smartphone enthusiast and a veteran writer at PhoneArena since 2009, has witnessed and chronicled the transformative years of mobile technology. Owning iconic phones from the original iPhone to the iPhone 15 Pro Max, he has seen smartphones evolve into a global phenomenon. Beyond smartphones, Alan has covered the emergence of tablets, smartwatches, and smart speakers.

Recommended Stories

Loading Comments...

Popular stories

T-Mobile customers can breathe a sigh of (temporary) relief as unwelcome change delayed
T-Mobile customers can breathe a sigh of (temporary) relief as unwelcome change delayed
4 billion Android users who downloaded apps flagged by Microsoft need to take some actions to stay safe
4 billion Android users who downloaded apps flagged by Microsoft need to take some actions to stay safe
Researcher answers the age-old question: which platform is more secure, iOS or Android?
Researcher answers the age-old question: which platform is more secure, iOS or Android?
Prices for the Motorola Edge (2022) remain too good to be true on Amazon
Prices for the Motorola Edge (2022) remain too good to be true on Amazon
Check the list to see if your OnePlus device is eligible to receive OxygenOS 15
Check the list to see if your OnePlus device is eligible to receive OxygenOS 15
T-Mobile makes it easier for owner of Galaxy S24 and some Motorola phones to ditch their carriers
T-Mobile makes it easier for owner of Galaxy S24 and some Motorola phones to ditch their carriers

Latest News

Nokia 3210 gets reimagined 25 years after its initial debut
Nokia 3210 gets reimagined 25 years after its initial debut
It's not too late to save on the speedy iPad Mini 2021 if you don't want to break the bank on Apple's latest iPads
It's not too late to save on the speedy iPad Mini 2021 if you don't want to break the bank on Apple's latest iPads
Apple's non-Pro AirPods 2 are still here, and at their lowest price ever, still pretty amazing
Apple's non-Pro AirPods 2 are still here, and at their lowest price ever, still pretty amazing
Best Mother's Day deals 2024: now’s the time to order and get your mother her gift in time
Best Mother's Day deals 2024: now’s the time to order and get your mother her gift in time
Snatch the JBL Charge 5 at 28% off through Walmart's tempting deal
Snatch the JBL Charge 5 at 28% off through Walmart's tempting deal
The Galaxy S24+ 256GB is now even more enticing after Amazon replaces its huge discount with an even bigger one
The Galaxy S24+ 256GB is now even more enticing after Amazon replaces its huge discount with an even bigger one
FCC OKs Cingular\'s purchase of AT&T Wireless