"Family Locator" Leaks Real-Time Location Data of App Users

A popular family tracking app, Family Locator, was found leaking the real-time locations of more than 238,000 individual users for weeks after an app developer left sensitive data exposed on the internet without a password. The app is built by an Australian-based software company React Apps.

According to Sanyam Jain, a security researcher and member of GDI foundation, the unprotected server was running a MongoDB database that stored the real-time location and other significant details of users.

The app, Family Locator, built by Australia-based software house React Apps, allows families to track each other in real-time, such as spouses or parents wanting to know where their children are. It also lets users set up geofenced alerts to send a notification when a family member enters or leaves a certain location, such as school or work.

Based on a review of the database, each account record contained a user’s name, email address, profile photo and their plaintext passwords. Each account also kept a record of their own and other family members’ real-time locations precise to just a few feet. Any user who had a geofence set up also had those coordinates stored in the database, along with what the user called them, such as home or work. None of this data was encrypted.

Upon learning about this incident, TechCrunch spent a week trying to contact the developer, React Apps, to no avail.Then they asked Microsoft, to contact the developer. On March 22nd 2019, Microsoft, which hosted the database on its Azure cloud, was asked to take immediate actions. Later, the unsecured database is no more available on the internet.