Slashdot Mirror
Cell Phone Tracking Firm Exposed Millions of Americans' Real-time Locations (zdnet.com)
Earlier this week, ZDNet shed some light on a company called LocationSmart that is buying your real-time location data from four of the largest U.S. carriers in the United States. The story blew up because a former police sheriff snooped on phone location data without a warrant, according to The New York Times. ZDNet is now reporting that the company "had a bug in its website that allowed anyone to see where a person is located -- without obtaining their consent." An anonymous reader shares an excerpt: "Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location," said Robert Xiao, a PhD. student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone call. "The implication of this is that LocationSmart never required consent in the first place," he said. "There seems to be no security oversight here." The "try" website was pulled offline after Xiao privately disclosed the bug to the company, with help from CERT, a public vulnerability database, also at Carnegie Mellon. Xiao said the bug may have exposed nearly every cell phone customer in the U.S. and Canada, some 200 million customers.
The researcher said he started looking at LocationSmart's website following ZDNet's report this week, which followed from a story from The New York Times, which revealed how a former police sheriff snooped on phone location data without a warrant. The sheriff has pleaded not guilty to charges of unlawful surveillance. He said one of the APIs used in the "try" page that allows users to try the location feature out was not validating the consent response properly. Xiao said it was "trivially easy" to skip the part where the API sends the text message to the user to obtain their consent. "It's a surprisingly simple bug," he said.
The researcher said he started looking at LocationSmart's website following ZDNet's report this week, which followed from a story from The New York Times, which revealed how a former police sheriff snooped on phone location data without a warrant. The sheriff has pleaded not guilty to charges of unlawful surveillance. He said one of the APIs used in the "try" page that allows users to try the location feature out was not validating the consent response properly. Xiao said it was "trivially easy" to skip the part where the API sends the text message to the user to obtain their consent. "It's a surprisingly simple bug," he said.
Considering that there are only 4 mobile carriers in the US (Verizon, ATT, Sprint, and T-Mobile) and pretty much everyone underneath is an MVNO leasing space from them, that covers pretty much 95% of the whole US.
that sheriff should be strung up by the courts and given 30 years for 'hacking'.. as anyone else would get if they were a normal person who did the same thing.
There's no such thing as a "police sheriff." Any editor should know that there are police and there are sheriffs. Someone mangled the NYTimes article which says "...the former sheriff of Mississippi County, Mo., used a lesser-known Securus service to track people’s cellphones, including those of other officers, without court orders, according to charges filed against him in state and federal court."
A company can just buy reak-time tracking data on everyone from the carriers?
To quote from The Terror,:
"Go find a carpenter."
"Why?"
"It's time to build a gallows."
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Why should I care whether someone had to pay 50 cents per head or whether they got the information with a trivial hack? The real problem is cellphone companies selling out their customers and a severe lack of apps not made by weasels. Privacy now.
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.