Real-time locations of more than 238,000 users were exposed by a popular family tracking app called Family Locator – a React Apps product, an Australia-based software house. The incident took place as the developer left a server unprotected without a password.
The app greatly helped members in a family to track each other in real-time and also set up notification alerts to know when a family member enters or leaves a certain location, such as school or work.
A security researcher and a member of the GDI Foundation, Sanyam Jain, discovered the unprotected MongoDB Database and reported the findings to a popular news website to alert the users and also the maker. The records contained in the database were the users’ name, email address, profile photo, passwords in plaintext, and also information on real-time locations of their family members, including theirs. In other words, the data inside the exposed storage was totally unencrypted.
It is estimated that data of a minimum 238,000 users were left exposed for at least several weeks, where anyone could find it. The news website had also created a dummy account to check if the database was active. To their surprise, within seconds of creating an account, their location appeared in the database. They also contacted a random user in Florida to check for correctness of his details, which again was positive and “accurate”, they noted.
The news website after several failed attempts to contact the developer of the app, informed Microsoft about the incident – as the vulnerable database was hosted on its Azure cloud. An hour later, the database was finally pulled offline, while the makers are still unavailable has not acknowledged the data leak yet.