back to article LocationDumb: Phone tracker foul-up exposes world+dog to tracking

The parade of bad privacy news this week has managed to get even worse, as one of the companies associated with the selling of phone locations for cash scandal was subject to a publicly exploitable bug. Researcher Robert Xiao says LocationSmart was running a site riddled with vulnerabilities that could allow anyone to look up …

  1. Paul Hovnanian Silver badge

    Free for the taking?

    Just watch LocationSmart claim that, in spite of their cheesy lock, burglars made off with the family silver and should be made to pay. You can't just pick up a pile of $100s that fell off an armored truck and think they are yours to spend.

  2. Mage Silver badge
    Alert

    I'm baffled

    How does Location Smart get the info in the first place? You need to be the Police AND have a warrant in most Democratic countries. Or be State Security in the non-democratic ones.

    1. Alan Thompson

      Re: I'm baffled

      Unless you've agreed to location services in your contract/EULA - which you likely already have - since the carrier can update their terms any time they want.

      The carriers sell the data to services like locationsmart. Yet, they won't give their own customer the same data without an order from a judge.

      1. Mage Silver badge

        Re: carriers sell the data to services

        So another example of how the USA prioritises profits of corporations over the rights of individuals?

        FCC needs reformed, and for all the MANY failings of ITU (19th C taken over by UN), DNS, Domain stuff, IP addresses obviously should be under ITU, not ICANN/US Corporations.

        Crazy.

        1. Anonymous Coward
          Anonymous Coward

          Re: carriers sell the data to services

          For legal purposes here in the US corporations have been judged to be considered "individuals" with "rights" parity.

          So priorities can now be sorted as to an 'individual's' pocket largess.

          Crazy Indeed......

          1. BebopWeBop

            Re: carriers sell the data to services

            limited definition of the 'individual' though - they can not be jailed or given ther death sentence though (I might even support it for some corpoations)

            1. tony2heads

              Re: carriers sell the data to services

              DEATH to corporations!!

              If they can swindle and kill they should be sentence appropriately.

      2. Nick Ryan Silver badge

        Re: I'm baffled

        Unless you've agreed to location services in your contract/EULA - which you likely already have - since the carrier can update their terms any time they want.

        Meanwhile, in the civilised/free world, a corporation may not meaningfully change the terms of a contract without agreement from the other party - explicit or implicit will do. While this is frequently abused the legal situation is that both parties must agree to a contractual change and if either party can demonstrate that they were either not adequately notified or given sufficient notification of a change in contract then the new one is null and void and the prior one still stands. It gets rather messier if the terms change "substantially" in favour of one side of the contract as this may cause the original contract, and all attached terms and conditions, to become null and void and this is particularly the case for monopolies, or near monopolies. For example, if you don't like the terms of a new contract then the exit clauses (penalties) of the prior contract no longer apply. This goes both ways though.

    2. Jamie Jones Silver badge

      Re: I'm baffled

      From: https://www.extremetech.com/mobile/269259-your-cell-carrier-selling-your-location-data

      The location data comes from a third-party called LocationSmart, which claims to have a direct connection to all four big US carriers, as well as several in Canada.

      The nature of this connection is unclear, but it would appear carriers are not getting the appropriate location consent before providing data to LocationSmart.

      As usual, businesses and money run America. They need a GDPR!

  3. Doctor Syntax Silver badge

    "opt-in marketing"

    How novel.

  4. Anonymous Coward
    Anonymous Coward

    I give up

    Tossing all my electronics and will pick up trash for a living (no shortage of that ever)

    1. eswan

      Re: I give up

      >> Tossing all my electronics and will pick up trash for a living (no shortage of that ever)

      They've already automated the 'lift the bin and dump it in the truck' part. All they need now are self driving garbage trucks.

  5. GnuTzu
    FAIL

    Security Controls Need to be Server Side -- Period

    Web Security 101. Wake up people.

    1. phuzz Silver badge
      FAIL

      Re: Security Controls Need to be Server Side -- Period

      It sounds like they were, and working for the XML output, they were just broken for the JSON output.

      So server-side security is great and all, but first you need to actually be competent enough to apply that security for everything.

  6. Trigonoceps occipitalis

    Believe

    "The company said that it did not believe anyone else had exploited the flaw to view user details."

    The company are damn sure some one has exploited the flaw but are not crazy enough to admit it.

    FTFY

  7. SimGa

    tracking

    You can download an application on the phone to track the location.

    There are free apps like spytomobile which show locations precisely.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like