During the past week, a security researcher discovered a flaw in an Australian based app, Family Locator by ReactApps. The app, commonly used by families to track each others whereabouts, reportedly left the backend of its MongoDB database exposed. This made data accessible by anyone searching for a way into the systems. Consequently, security researcher, Sanyam Jain, who discovered the flaw, was able to discover the leakage of over 230,000 users.
Family Locator sets up geofenced alerts which notifies family members when a member enters or leaves a particular set location such as a business, home or school. Users who set up this feature had fixed locations of work or school stored on their accounts which Jain had access to. The app runs on the open source document application, MongoDB, where the vulnerability was. It exposed users’ names, plaintext passwords, history of locations and email addresses. If a hacker with malicious intent finds this vulnerability, access to such data allows them to carry out further attacks, sell the data on the dark web and other fraudulent activities. Other security measures not in place that would have mitigated the impact of the backdoor vulnerability include encryption.
Other App issues
Accountability also proved to be an issue with ReactApps as there was difficulty locating the owners. There were neither contact details to reach the organization nor was there any response to the reported breach.
Microsoft Azure pulled the app offline after TechCrunch attempted to contact the developer to no avail. It is not known whether any data was compromised before discovery. What actions ReactApps intend to take to remediate the issue is also unclear. It comes at a time where security is an area of concern in applications. Where developers once took a laxed approach, this can longer be the case with recent privacy and cybersecurity laws in play.
Do your friends and family use a locator app and if so does this news give you any concerns? Let us know your thoughts in the comments section.