Website flaw exposed real-time location for millions of cell phones, experts say


Cybersecurity experts say a recently discovered website flaw could have allowed virtually anyone to access real-time location data for millions of Americans’ cell phones.

The vulnerability was found in a website run by LocationSmart, a company that aggregates cellular location data so it can be used by third parties such as app developers to verify users’ locations or send location-based promotions.

LocationSmart has location data for all four of America’s largest wireless providers: AT&T, (ATT) Verizon (VZ), T-Mobile (TMUS) and Sprint (S).

The flaw was discovered by Robert Xiao, a security researcher at Carnegie Mellon University, and reported Thursday by KrebsOnSecurity.

KrebsOnSecurity, a popular cybersecurity blog run by Brian Krebs, said it “verified” the vulnerability could be exploited to reveal the location of “any” phone on the four major US cell phone networks as well as several other smaller providers.


“Anyone with a modicum of knowledge about how Web sites work could abuse the LocationSmart demo site to figure out how to conduct mobile number location lookups at will, all without ever having to supply a password or other credentials,” the blog post reads.

I discovered a bug in LocationSmart's API that allowed *anyone* to access *any phone's location* without any consent required. Works on major US carriers and even some Canadian ones. Utterly frightening stuff. Thanks @briankrebs for writing up the report. t.co/kdRVe9tthg

— Robert Xiao (@nneonneo) May 17, 2018


Brenda Schafer, LocationSmart’s vice president of product and marketing, said in an emailed statement that the issue “has been resolved ” and the demo feature was taken offline.

“We have further confirmed that the vulnerability was not exploited prior to May 16th” the day Xiao says he first discoverd the flaw “and did not result in any customer information being obtained without their permission,” she said.

It’s unclear how long the flawed feature was online.

Schafer added that LocationSmart is “continuing its efforts to verify that not a single subscriber’s location was accessed without their consent and that no other vulnerabilities exist.”


One federal lawmaker, Senator Ron Wyden of Oregon, is calling on the Federal Communications Commission to step in.

If the @FCC refuses to act after this revelation then future crimes against Americans will be on the commissioners' heads.https://t.co/INQxQUjVan

— Ron Wyden (@RonWyden) May 18, 2018

“A hacker could have used this site to know when you were in your house so they would know when to rob it. A predator could have tracked your child’s cell phone to know when they were alone,” he wrote in a tweet Friday. “If the @FCC refuses to act after this revelation then future crimes against Americans will be on the commissioners’ heads.”


The FCC did not respond to requests for comment from CNNMoney. Reuters reported that the commission said it is referring reports about the flaw to its enforcement bureau, which will investigate them.

When reached for comment, AT&T said it does not permit location sharing without customers’ consent and said it will “take appropriate action” if it leans a vendor violated that policy.

T-Mobile said in a statement that it has “addressed issues that were identified” with LocationSmart “to ensure that such issues were resolved and our customers’ information is protected.” The company added that it is still investigating the matter.

Sprint said it is “conducting an internal review.”

“If we become aware of any of our customers violating the terms of our contract, we will take immediate action,” the company said.

Verizon did not immediately respond to a request for comment.

Leave a Reply

Your email address will not be published.