Family tracking app leaked real-time location data for weeks
It would have let intruders spy on a child's whereabouts.
Family tracking apps can be very helpful if you're worried about your kids or spouse, but they can be nightmarish if that data falls into the wrong hands. Security researcher Sanyam Jain has revealed to TechCrunch that React Apps' Family Locator left real-time location data (plus other sensitive personal info) for over 238,000 people exposed for weeks in an insecure database. It showed positions within a few feet, and even showed the names for the geofenced areas used to provide alerts. You could tell if parents left home or a child arrived at school, for instance.
This wasn't helped by React's own issues with accountability. Its site had no contact information, and even its WHOIS record masked the email address. Messages through the feedback form turned up nothing. The database didn't go offline until TechCrunch asked Microsoft to reach the developer, who still hasn't said anything about the leak.
It's not clear if anyone beyond Jain or TechCrunch accessed the database.
While the data is safe for now, the incident illustrates a problem with tracking apps as a whole: it's difficult to verify that developers are securing your location info every step of the way. If they don't and there's a breach, it could lead to very real threats that could include physical danger.
