A recent discovery by security researcher Eric Daigle revealed significant security vulnerabilities in the widely used phone-tracking app iSharing, affecting over 35 million users. These bugs allowed anyone using the app to access other users’ coordinates, even if the users weren’t actively sharing their location data.
The vulnerabilities also exposed users’ names, profile photos, email addresses, and phone numbers used for logging into the app. Specifically, iSharing’s servers were failing to properly check whether users were authorized to access location data, potentially leading to unauthorized access.
Daigle discovered these flaws as part of an investigation into the security of location-tracking apps, highlighting the risks associated with such applications, including stealthy “stalkerware” apps. The vulnerabilities could enable attackers to passively intercept and decrypt users’ precise location data, posing significant privacy risks.
Despite Daigle’s responsible disclosure, iSharing initially did not respond to the reported vulnerabilities. However, after TechCrunch intervened and reached out to the app makers, iSharing fixed the bugs during the weekend of April 20-21.
The company attributed the vulnerabilities to a feature called “groups,” which allows users to share their location with others. iSharing plans to work with security professionals to implement additional security measures to protect users’ data.
While these vulnerabilities have been addressed, the incident underscores the importance of robust security measures in location-tracking apps to safeguard users’ privacy and sensitive information. Users are advised to keep their apps updated and consider switching to apps that prioritize on-device operation to mitigate potential risks.
Leave a Reply