Recently, a revelation by a security expert exposed how he could pinpoint any user’s precise location utilizing a popular phone-tracking application, sparking our curiosity to verify this claim firsthand.
University of British Columbia student Eric Daigle, studying computer science and economics, uncovered critical weaknesses in the app iSharing through his research into the security measures of location-tracking applications. Boasting over 35 million users, iSharing ranks among the top choices for location-tracking services.
Daigle pointed out that the app’s flaws made it possible to access another user’s exact location without their consent to share it, revealing private information such as the user’s name, profile picture, and the email and phone number associated with their account.
These shortcomings indicated a lack of proper verification by iSharing’s servers to ensure that users could only access their own or shared location data.
Security issues have long plagued location-tracking apps, including those used for clandestine monitoring, risking sensitive location information.
Daigle demonstrated his ability to locate this journalist to an accuracy of a few feet in mere seconds, utilizing the iSharing app on an Android device and a newly created account.
“770 Broadway in Manhattan?” was Daigle’s immediate response, as he accurately identified the location of TechCrunch’s office in New York from which the location data was being sent.
After discovering the vulnerabilities, Daigle informed iSharing about the issue nearly two weeks earlier but hadn’t received a response. That prompted him to reach out to TechCrunch for assistance in contacting the app developers, who corrected the flaws around the weekend of April 20-21.
Yongjae Chuh, iSharing’s co-founder, expressed gratitude to the researcher for identifying the flaw, enabling them to address it proactively. He also mentioned plans to consult security experts to reinforce data protection measures for their users.
According to Chuh, an analysis of their logs indicated no prior exploitation of these vulnerabilities before Daigle’s disclosure. He acknowledged the possibility of an oversight in their server’s group-joining verification process.
TechCrunch delayed the publication of this story until confirmation of the fix was received from Daigle.
Daigle described the process of finding the flaw as taking about an hour from initially opening the app and understanding its request mechanism, to discovering that creating and joining a group on another user’s account was possible.
Subsequently, he devoted additional hours to create a proof-of-concept script highlighting the security flaw.
Daigle, who has detailed the vulnerabilities on his blog, mentioned his intention to continue his investigations into stalkerware and location-tracking technologies.
Read more on TechCrunch:
For contact, reach out via Signal and WhatsApp at +1 646-755-8849, or through email. Files and documents can also be shared securely through SecureDrop.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
