A journalist/researcher team has managed to get a highly sensitive database taken down after the mobile app vendor responsible for it failed to acknowledge the problem. The Family Locator app was publishing the real-time location data of 238,000 users for anyone to see.
The app tracks the real-time location of anyone registered on it, enabling families to figure out where their children are, for example. It contains features including geofencing, to tell you when family members reach and leave pre-defined locations.
The app’s FollowMe feature allows you to get up-to-date status on all family members. Did little Johnny reach school? Did mum make it to work ok? And so on. It sounds like a way to ensure that your family is safe, but this app did precisely the opposite.
An insecure MongoDB database, hosted in the cloud, stored real-time, unencrypted location data about all registered members. Anyone who found the database via a search engine like Shodan could see not only the user’s real-time location, but also their profile photo, name, email address, and password. Attackers could also see the name of the places that were geofenced according to their account.
This means that anyone checking out this family safety database could easily see what your 13-year-old daughter looked like, where she lives, where she goes to school, and the route she takes to get there every morning.
Sanyam Jain, a researcher for the GDI Foundation, found the database and reported it to TechCrunch. The Foundation is a nonprofit organization whose volunteers identify and report risks found online.
The app is operated by React Apps Pty, which says on its website that it is based in Melbourne, Australia. It lists no contact information and has a privacy-cloaked WHOIS address.
TechCrunch purchased its business records and tried to contact its owner, Sandip Mann Singh. It also tried the company’s feedback form but got no reply either way.
TechCrunch’s Zack Whittaker did more than just report this. Given the sensitive nature of the case, he worked to get it taken down. He contacted Microsoft, which was hosting the offending MongoDB instance, and had it taken offline.
https://twitter.com/zackwhittaker/status/1108930389303648256Applause goes to the GDI Foundation and to Whittaker for following this through to its conclusion.
Not every such story ends well, though, and it’s not the only case where people who publish sensitive data online don’t respond. In some cases, it isn’t even clear who left the databases there in the first place.
We’ve reached the point where it’s possible for a company to gather large amounts of data from trusting users and then put them at immense risk through negligence or incompetence.
This incident could have gone another way entirely. This journalist/researcher team may not have been able to get the database taken down. Jain may never have found it at all. Someone might have stumbled across the database before Jain did and stolen enough information to begin targeting victims.
How do we ensure developers and administrators behave responsibly with customers’ data?
Jain has his own thoughts on this:
Finally, I would like to say the government should make it mandatory for all the companies to apply at least minimum password requirements before uploading their data, So that any organization can't make any excuse.
— $)C39TI0N {⚡} (@MIRAG3D3C3PTI0N) March 23, 2019
What are yours?
Steve
Jain and Whittaker share a hat so white you could see it from outer space. Thanks to both of them!