Want to learn someone's location? Due to some shoddy programming, a US company that hoards cell phone data accidentally gave anyone the disturbing power to do this.
LocationSmart specializes in collecting cell phone data from US wireless carriers. According to its website, the California company has location on 400 million devices.
However, LocationSmart appears to have been careless with that data. A computer scientist noticed on Wednesday that an online demo for one of the company's services could let anyone plug in the cell phone number, and pull up the device's location.
The searches were supposed to be limited to only cell phone numbers that had granted consent to the location lookups. To do this, the demo would be text or call the phone number and request permission from the owner.
Unfortunately, the demo contained a software bug, according to Robert Xiao, a PhD candidate at Carnegie Mellon University. He was able to get around the demo and noticed a flaw in the system's API.
Xiao disclosed the vulnerability to security journalist Brian Krebs, who verified that the LocationSmart demo could, indeed, pull up someone's approximate location; trusted sources.
“One of those sources said the longitude and latitude was returned by Xiao's queries, within 100 yards of their then-current location,” Krebs wrote on Thursday. “Another source said the location was found by the researcher was 1.5 miles away from his current location.”  How long the bug has been around is not known, but LocationSmart appears to have taken the demo offline.
Xiao was investigating the company amidst . Last week, a US senator revealed that Securus was also providing cell phone location. Lookups to law enforcement and correctional officers without a warrant.
So far, LocationSmart and Securus have not commented. But their practices are raising serious questions about why US wireless carriers are handing in so much private data to third-party companies, when no controls appear to be in place.
. But on Thursday, an AT & T spokesman said: “If we learn that a vendor does not adhere to our policy, we will take appropriate action.”