A security researcher discovered security vulnerabilities in the popular phone-tracking app iSharing, which put user’s exact locations at risk. The app, which has 35 million users, has since patched these flaws. After hearing about the researcher’s findings, we decided to verify the ease with which one could access the precise location of any user on the app.
Eric Daigle, a student studying computer science and economics at the University of British Columbia in Vancouver, discovered security flaws in the tracking app iSharing while investigating the safety of location-tracking applications. iSharing is a widely-used app for tracking locations, with over 35 million users.
Daigle explained that the flaws in the app made it possible for users to see the coordinates of others, even if those users did not intend to share their location data. Additionally, the bugs made it possible for users to view the name, profile picture, email address, and phone number of the individuals logged into the app.
The issues with the bugs in iSharing’s servers resulted in a failure to properly verify that app users were only able to access their own location data or location data shared with them by someone else.
Apps that track location, such as stalkerware, have a track record of security issues that could potentially reveal the exact location of users.
In this instance, Daigle was able to quickly pinpoint the location of the reporter within a few feet. He used an Android phone with the iSharing app and a new user account to demonstrate his ability to track our exact whereabouts using bugs.
Daigle confirmed the location of TechCrunch’s office in New York, providing the specific address at 770 Broadway in Manhattan where the phone was transmitting its whereabouts.
The security researcher was able to access our exact location data from iSharing’s servers, despite the fact that the app was not sharing our location with anyone else. Image Source: TechCrunch (screenshot)
The security expert was able to access our exact location information from iSharing’s servers, even though the app was not transmitting our location to anyone else. Image Credits: TechCrunch (screenshot)
Before iSharing fixed the bugs, Daigle had informed them of the vulnerability but did not receive a response. Seeking assistance from TechCrunch, Daigle was able to get in touch with the app makers and the bugs were resolved over the weekend of April 20-21.
Yongjae Chuh, co-founder of iSharing, expressed gratitude towards the researcher who identified the issue so that they could address it promptly. The team is now collaborating with security experts to implement additional security measures to safeguard the data of all users.
iSharing attributed the vulnerability to a feature called groups, which permits users to share their location with others. Chuh stated to TechCrunch that their records did not indicate any prior discovery of the bugs before Daigle found them. Chuh admitted that there could have been a mistake on their part, as their servers were not verifying if users had permission to join a group with others.
TechCrunch delayed publishing this story until Daigle verified that the issue had been resolved.