Website flaw reveals real-time locations of US cellphones

LocationSmart Has Been Leaking Customer Location Data to Anyone

Phone-tracking firm had a bug that let anyone track millions of Americans

It turns out LocationSmart's phone-tracking feature isn't smart with security or privacy.

LocationSmart specializes in collecting cell phone data from USA wireless carriers as a way to help businesses understand their customers.

The results were incredibly accurate, pinpointing down the within the same city block of the actual location, in ZDNet's test. He was digging around the demo and noticed a flaw in the system's API that can let you make cell phone location searches without obtaining the owner's consent. The issue was initially found by Robert Xiao, a PhD candidate at Carnegie Mellon University.

A New York Times report last week revealed that Securus, an inmate call tracking service, had offered the same technology to find anyone's phone in the USA within seconds. Another source said the location found by the researcher was 1.5 miles away from his current location.

He had tricked LocationSmart's website because the page was not properly verifying that a person received the required consent.

One of those sources said the longitude and latitude returned by Xiao's queries came within 100 yards of their then-current location.

Xiao first tried it on his own phone, and then asked several of his friends to see if he could try it with their phone numbers. "I stumbled upon this nearly by accident, and it wasn't terribly hard to do", he said". "It was clear to me at that point, that nobody I had contacted received a text message or notification while I was tracking them".

Xiao said that he was able to use the tool - which, again, was free for anyone with internet access to use until it was taken offline today - to track a friend's location in real time repeatedly over the course of a few minutes to basically chart a path of where the individual was moving using the coordinates the site texted him.

So far, LocationSmart and Securus haven't commented on their cell phone tracking services.

Last week, Sen. Ron Wyden, a Democrat from OR, requested that the FCC and major wireless carriers investigate into geolocation data abuse.

Word of the leak comes five days after another little-known service called Securus came to national attention after The New York Times reported it allowed law enforcement officers to locate most US-based cell phones within seconds.

Krebs contacted all four of the major USA mobile carriers, and all declined to confirm or deny a formal business relationship with LocationSmart, despite LocationSmart displaying the carriers' corporate logos on its website.

While LocationSmart customers gave their consent to have the company track their phones' location, they likely did not want anyone to know that information.

Latest News