LocatiSmart Bug provided easy access to real-time locati data from millis of phes

Robert Xiao, a computer science student from Carnegie Mell, recently discovered a vulnerability in the LocatiSmart website that made the locati of millis of phes in real time easily accessible to anye with the know-how.


For information, LocatiSmart is a company that collects mobile customer locati data from leading carriers, including Veriz, AT & T, Sprint and T-Mobile in the US, and then sells them to others. companies for various reass. including compliance, cybersecurity and proximity marketing.

Until the vulnerability was discovered, LocatiSmart offered a test page allowing anye to enter their phe number, cfirm the request by SMS or phe, and view their approximate locati in real time.

The RemoveSmart Trial Page Since Krebs Security

The problem, as Xiao discovered, was that the web page had a bug that allowed anye with the technical skills to bypass the phe number verificati process and see the real-time locati of any subscriber to most major carriers in the US, in additi to Bell, Rogers and Telus in Canada.

In a blog post, Xiao explains that the bug is essentially to request locati data in JS format, instead of the default XML format:

If you make the same request with requesttype = locreq.js, you get the full data locati without csent. That's the heart of the bug. Essentially, this requires locati data in JS format, instead of the default XML format ….

We will be happy to hear your thoughts

      Leave a Reply

      AppleiPhonestop - Apple iPhone News and Rumours All Day
      Logo
      Enable registration in settings - general
      Compare items
      • Laptops (0)
      Compare
      0