The location data and personal data of the more than 35 million users of the GPS tracking service iSharing were temporarily available to all users. The error that made this possible was resolved last weekend.
Using the iSharing app, users can share their location with each other in real time. They can also send messages, for example in the event of an emergency. The intention is that the location data of users is only visible to the user himself and the person to whom they are sent. But vulnerabilities in the app made location data visible to all users of the app, even if it was not actively shared with anyone else, writes TechCrunch. In addition, user names, profile photos and the e-mail addresses and telephone numbers used to log in were visible.
The problem arose because iSharing's servers did not properly check whether a user had access to the requested data. The data was made visible by providing a user ID, which turned out to be consecutive. ISharing itself blames the problems on a feature called 'groups', which allows users to share their location with a group of other users. The servers allegedly did not properly check whether users could be added to a group of other users.
The problem was discovered by Eric Daigle, a student at the University of British Columbia in Vancouver. He shared his findings with iSharing, but heard nothing back. After two weeks, he decided to ask TechCrunch for help in approaching the app makers. The problems were resolved last weekend. Yongjae Chuh, co-founder of iSharing, told TechCrunch that she was grateful that the problems were reported. Chuh further states that there is no evidence that the bugs were found before Daigle discovered them.