An app called ‘Family Locator’ allows family to track locations of other family members.This app was found leaking the real-time locations of its 238000 users for weeks when a server was left exposed without a password.
This app is owned by an Australia based software company called React App.
Based on researches done by members of GDI foundation, the unprotected server was running a MangoDB database which stored the real time location and other such significant data of its users.
This app was built such that it allowed family members to track the location of other family members.This app also sends geofenced alerts to notify when a family member enters or leaves a location. Each user sets up a geofence by storing coordinates in the database as ‘home’ , ‘work’ etc.
Based on investigations it was found that misconfigured database contained account records of each user. The information stored included user names, emails, profile pictures and plaintext passwords which was not encrypted.
There was no response from the company upon informing about this data leakage. Thus microsoft which hosted the database on its Azure cloud was asked to take immediate actions. Now the unsecure database is not available on the internet anymore.
