According to a report by Brian Krebs, phone geolocation company LocationSmart has been allowing users to look up the real-time location of any supplied mobile phone number without the need of a password or authentication.
LocationSmart offered a demo, which has since been removed, on its site letting potential customers try out its mobile location technology. The demo let users enter their name, email address and phone number into a form. LocationSmart would then text the targeted phone number, request permission to track that device’s location, and then replied with a location often accurate to within a few hundred yards.
Krebs contacted Robert Xiao, a security researcher at Carnegie Mellon University, who confirmed that an insecure API powered the demo. While the demo required users to provide consent for tracking their phone’s location, it offered no such protection against anyone wishing to interact directly with the API. This vulnerability potentially could have allowed any malicious actors to lookup the location of others without their knowledge or consent. In fact, Xiao demonstrated that by consuming the API, hackers could bypass the consent process entirely.
API security leaks like this are all too common. We recently saw how Panera Bread failed to secure their users’ data. These leaks are nothing new and show no signs of abating. It’s an unfortunate reality of API security these days.
What is even more worrisome in this case is how LocationSmart was able to get this data to start with. Kevin Bankston, director of New America’s Open Technology Institute, was cited in a ZDNet report as saying that the Electronic Communications Privacy Act restricts telecom companies from disclosing data to the government. That same restriction is not extended to other companies who may choose to disclose that data to the government. The danger comes when these third party companies don’t verify that requests for data are indeed lawful. This is exactly what happened with Securus Technologies. Securus is a cell phone location tracking that was selling the location data of customers of the major mobile network providers to a sheriff’s office in Mississippi County, Mo. It turns out that Securus was getting it’s location data from LocationSmart. Bankston calls this loophole "one of the biggest gaps in US privacy law."
While the freely accessible location data by itself constitutes a serious breach of privacy, the other less discussed danger has to do with when such data is aggregated with other legally or surreptitiously gained data to craft a bigger picture. The API community --- the primary group of stakeholders in the API economy -- is already reeling from the Cambridge Analytica with more fallout to come. For its part ProgrammableWeb is working on a larger trend piece that will provide insights to developers and API providers alike as they try to cope with the shifting sands. Stay tuned.