LocationSmart aggregates real-time data on the location of subscribers' mobile phones. It's all opt-in, but Krebs reported that anyone could access this information for any AT&T, Sprint, T-Mobile and Verizon phones on the company's web site without a password or any other form of authentication. The vulnerability has been taken offline, said Krebs, but man what a mistake.
While LocationSmart customers gave their consent to have the company track their phones' location, they likely did not want anyone to know that information. The issue was initially found by Robert Xiao, a PhD candidate at Carnegie Mellon University. ""I stumbled upon this almost by accident, and it wasn't terribly hard to do," he said. "This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples' cell phone without their consent."
LocationSmart Founder and CEO Mario Proietti told Krebs, "We don't give away data. "We make it available for legitimate and authorized purposes. It's based on legitimate and authorized use of location data that only takes place on consent. We take privacy seriously and we'll review all facts and look into them."