An app called Family Locator, which allows family members to keep track of one another recently experienced an exposed database issue of the worst kind. Specifically: the MongoDB database was left exposed with no password, like so many other recent infosec tales of woe. The end result is the location of about 280,000 users leaking in real time.
For a location tracking app that also includes information about children, this is quite the error. Map views, family maps, and push notifications to let you know where everybody is all sound great—until random people also potentially have access to it. This is the fate handed to Family Locator these past few days, although nobody knows how long the sensitive data has been exposed.
What was leaked?
The Family Locator database records held names, email, plain text passwords, and photographs, along with coordinates tied to user-allocated names, such as office, home, and condo. As per the TechCrunch report, none of it was encrypted, a misstep repeated by Facebook last week.
On a related note, the app’s privacy policy is rather short and to the point:
What information do we collect and how we use itContact information:
When you create an account, we may collect your personal information such as your username, first and last name and email address.
We may send important or promotional information about our products.
Geolocation data:
We collect your location through GPS, WiFi, or phone network in order to provide our Service.
Do we disclose any information to outside parties?
No. We do not sell, trade, or otherwise transfer to outside parties any of your personally identifiable information.
Changes to our privacy policy
We may update this policy at any time by posting changes on this page.
It seems the most-urgently required change to the page is the addition of the word “whoops.”
Was there a real-world impact to this?
There absolutely was. After setting up a dummy account and verifying the accuracy of their coordinates against what was listed in the database, TechCrunch contacted one user randomly, who validated that their location exposed in the database was also correct, and that one of their family members using the app was their child.
This is, frankly, terrible, especially as TechCrunch found numerous other parent/child combinations in the database.
Did it all go wrong at this point?
You bet it did. I’ve reported hundreds of security fails down the years. I’ve had data exposure issues fixed on image hosting websites, exploits on social networking portals patched up, data hauls taken offline, outbreaks on instant messaging platforms shut down, and much more besides.
Many people working in infosec do the same thing, all the time. Security awareness, even for other developers, used to be pretty bad a decade or more ago—it was pretty much throw a paper plane and hope something lands.
Things are supposed to be much better now, right?
In the case of Family Locator, they aren’t.
What happened next sounds like one of my wild goose chases from yesteryear. No useful information could be found on the site’s WHOIS record or privacy policy page (as you can see above), and zero contact information was listed on the website. TechCrunch bought business records to finally obtain a name tied to the business, but that still didn’t get them any further.
Microsoft, who host the MongoDB database in question, were contacted, and eventually it was taken offline. Presumably they contacted the app developer, but it seems they’ve still not acknowledged their leaky database, either way.
Are MongoDB breaches a thing?
Sadly, yes. MongoDB is wonderful to deploy, but people seem to lose interest at the “locking it down” stage [1], [2], [3]. Sometimes, it’s deviations from default configurations causing the problem. Other times, nobody set a password. This is disappointing, given the security documentation available to ensure everything on the server stays secure.
What now?
If you’re one of the app users caught up in these events, try not to panic. While the data was exposed, it’s most likely to be abused by marketers and scrapers, and not so much hardened criminals. While this isn’t exactly great, it’s still better (and more probable) than “dubious stalker character uses this data to lurk near my home.” The chances of someone like that not only being able to find the data, but be close enough to your location to do something with it are remote.
It’s also a good reminder that we can’t possibly predict how secure a service is when signing up to it. The more access you give to your personal life, the more damage can be done should something go wrong afterwards. This may not be massively reassuring, but it’s sadly where we’re at. It’s up to app developers to step up and do a better job of it.
