Basic website flaw reveals real-time locations of most US mobile users

API authentication flaw in third-party tracking site demo allows anyone with rudimentary skills to track phone locations

Customers of all of the major mobile US phone carriers could have had their locations tracked by almost anyone with rudimentary web skills thanks a bug in the website of LocationSmart.

LocationSmart is a US aggregator of mobile phone location data. It sells this data to businesses to help them keep track of employees and assets and to advertisers to enable them to serve contextual messages.

LocationSmart also offers a free trial in which any user can check the service's accuracy by looking up their own device's location. To access the demo a user simply needs to enter their name, email and phone number and then provide consent for LocationSmart to ping the nearest network tower to obtain the location. No password is required.

All of the major US carriers including AT&T, Sprint, T-Mobile and Verizon are covered by LocationSmart, and Canadian users of Telus Mobility can also be tracked by the company, according to Robert Xiao, a security researcher and PhD student at Carnegie Mellon University.

Xiao discovered a serious flaw with the demo site's API authentication system, meaning that the login forms were easy to bypass by anyone with a basic knowledge of how websites work.

"I stumbled upon this almost by accident, and it wasn't terribly hard to do," Xiao told security researcher Brian Krebs. "This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples' cell phone without their consent."

Knowledge of a person's phone number was the only requirement to be able to track their whereabouts within a few hundred yards of their real location.

The demo, which has apparently been operational for more than a year, has now been taken offline. LocationSmart CEO Mario Proietti said the company is looking into the flaw.

"We don't give away data," he said. "We make it available for legitimate and authorised purposes. It's based on legitimate and authorised use of location data that only takes place on consent. We take privacy seriously and we'll review all facts and look into them."

The wider story is how a third-party is allowed access to such sensitive by the carriers without users' consent in the first place.

Stephanie Lacambra, a staff attorney with Electronic Frontier Foundation, said that customers in teh US cannot opt out of tracking by the providers. The relevant legislation the Electronic Communications Privacy Act (ECPA) needs to be updated urgently, she said.

"This is precisely why we have lobbied so hard for robust privacy protections for location information," said Lacambra. "It really should be only that law enforcement is required to get a warrant for this stuff, and that's the rule we've been trying to push for."

The carriers approached by Krebs were not forthcoming about their relationships with LocationSmart.

"It remains unclear what, if anything, AT&T, Sprint, T-Mobile and Verizon plan to do about any of this," Krebs writes on his blog.

"A third-party firm leaking customer location information not only would almost certainly violate each mobile providers own stated privacy policies, but the real-time exposure of this data poses serious privacy and security risks for virtually all US mobile customers."