Error in LocationSmart's free trial system let anyone track anyone
Phone cases, from a Chicago Apple Store, in a photo taken in March. Photo: Jim Young/AFP via Getty Images.
A bug in a service used to track cellphones allowed anyone who signed up for a free demonstration to track any person without consent, ZDNet reports. That service, LocationSmart, is intended for marketers but was used by another firm, Securus, to provide law enforcement with a controversial phone tracking system.
Why it matters: LocationSmart can be used to track nearly all domestic cell phones in the U.S. and Canada.
The details: The bug was discovered by Robert Xiao, a Carnegie Mellon PhD. student.
- LocationSmart offers a demonstration to track the location of a cell phone whose owner documented consent for the trial.
- Xiao noticed that the LocationSmart API — an interface between LocationSmart computer code and a users' own computer code — did not properly check that consent was given.
- Xiao and a Carnegie Mellon organization called CERT, which specializes in security, notified LocationSmart of the problem.