Pixel Envy

Written by Nick Heer.

Ironically-Named LocationSmart Leaked Live Location Data for Customers of All Major U.S. Mobile Carriers on Its Website

Yesterday, I linked to Joseph Cox’s report for Vice concerning Securus’ weak safeguards protecting access to its software that monitors the real-time location of cellphones. While I was writing it, I couldn’t help but think that there isn’t much worse it could get, right? Well, what about if a similar location tracking application had no security — at all?

Brian Krebs (emphasis his):

LocationSmart, a U.S. based company that acts as an aggregator of real-time data about the precise location of mobile phone devices, has been leaking this information to anyone via a buggy component of its Web site — without the need for any password or other form of authentication or authorization — KrebsOnSecurity has learned. The company took the vulnerable service offline early this afternoon after being contacted by KrebsOnSecurity, which verified that it could be used to reveal the location of any AT&T, Sprint, T-Mobile or Verizon phone in the United States to an accuracy of within a few hundred yards.

There’s a lot about this that’s pretty outrageous, but I think the most alarming aspect of this is that a company most of you have probably only just heard of has access to your phone’s live location, and they’ve never asked you if that’s okay.