Family Locator is an app created by Australian software house React Apps which allows families to keep track of each other in real-time. In addition, it can also send alerts if one of the family members are in a certain location, such as in the case of children for example, as they enter or leave their school.
While the app is certainly useful, especially for parents, it looks like Family Locator has left as many as 238,000 users exposed for weeks, leaking real-time locations after a developer left a server completely exposed without a password.
The exposed server was found by Sanyam Jain, a security researcher and member of the GDI Foundation, a nonprofit organization that addresses ‘security issues with responsible disclosure’.
Jain found that not only the server was not password-protected but that the backend database also lacked security. This particular database held a lot of personal data on every person who used the app, information such as e-mail addresses, passwords and real-time locations were up for the grabs for anyone who knew where to look.
This information was reported by Jain to TechCrunch who subsequently verified the claims by signing up to the service using a dummy email. They contacted a random user who confirmed that indeed, their coordinates were accurate, as well as the real-time data of their child, who was at the time in class, at a nearby high school.
Microsoft, alerted by TechCrunch has pulled out the Azure cloud-hosted database as of Friday.
React Apps have not yet acknowledging the issue or released any statements at the time this article is being written.