A security researcher discovered critical vulnerabilities in the popular phone-tracking app iSharing, potentially exposing the precise locations of its 35 million users. Eric Daigle, a student at the University of British Columbia, found that the bugs allowed anyone using the app to access another user’s coordinates, along with personal information like name, profile photo, email address, and phone number.
The vulnerabilities in iSharing’s servers failed to properly authenticate users, allowing unauthorized access to location data even if users weren’t actively sharing their location with others. Daigle demonstrated the ease of exploiting these bugs by pinpointing the location of a TechCrunch reporter down to a few feet, highlighting the severity of the security lapse.
Despite Daigle’s efforts to responsibly disclose the vulnerabilities to iSharing, the company did not respond until TechCrunch intervened. iSharing promptly fixed the bugs after being notified, acknowledging the oversight and expressing gratitude to the researcher for uncovering the issue.
The vulnerability stemmed from a feature called “groups,” which enables users to share their location with others. iSharing attributed the oversight to its servers’ failure to properly verify user permissions when joining groups.
Daigle’s discovery underscores the ongoing risks associated with location-tracking apps and stalkerware, which have a history of security mishaps. He plans to continue researching in this area, emphasizing the importance of robust security measures to protect users’ privacy and data.
The swift resolution of the security flaws in iSharing highlights the significance of bug bounty programs and responsible disclosure practices in safeguarding users against potential breaches. As users increasingly rely on location-tracking apps for various purposes, ensuring the security and privacy of their data remains paramount.