App for Family Tracking Exposes Data of Thousands of Users

Laura BednarVulnerabilitiesLeave a Comment

family-locator-exposed-user-location

What was created as a way for families to keep track of their loved ones has turned into a serious threat to their safety. The family tracking app, Family Locator, leaked the real-time locations of 238,000 users due to an exposed server.

How Does the App Work?

Family Locator was built by Australian-based software company, React Apps. The family tracker application allowed family members including spouses and children to locate each other using their mobile phones. Not only did the app allow people to know the whereabouts of their family members, but had a geofencing alert when someone entered or left a particular area.

The users can see when a family member in their group leaves school, or when a parent is at work. While these are initially convenient alerts for the users, a recent data leak allowed for anyone to have access to this information.

Dangers of the Data Leak

The data leak was the result of an exposed server that was left without a password. Security researcher, Sanyam Jain, found that the server did not have a password and the backend database lacked security. Jain is also a member of the GDI Foundation, who aims to make the internet a safer place by addressing security issues with responsible disclosure.

The exposed database held personally identifiable information (PII) including email addresses, passwords, and real-time locations of users. Anyone who discovered the issue could see where users were within a margin of a few feet. The sensitive information was left accessible for weeks, and none of the data was encrypted.

A tech industry publisher reached out to the React Apps developers but received no response. The company also did not respond to feedback forms that were sent about the data leakage. Microsoft held the Family Locator app on their Azure cloud. After they were alerted of the exposure of users’ personal information, the database was taken offline.

Knowing You Are Safe Where You Stand

This incident is another example of the importance of having encrypted passwords for all sensitive data. The amount of data leaks due to lack of security is growing. Our Secure Forensics team deals with data breaches and many other types of digital and legal forensics on a regular basis and can help businesses and individuals alike.

To ensure total security, we offer hardware encrypted storage devices that are FIPS 140-2 Level 3 Validated. Our SecureDrive and SecureUSB devices can be used both personally and professionally to keep data secure in any circumstance. For more information on our devices and services, call 1-800-388-1266.