132

I recently purchased a satellite communicator that allows me to send a map of my location to friends and family while I'm hiking in the wilderness.

While testing out my product, I noticed that the url was constructed as so:

http://www.example.com/mylocation/?id=YYYYY/XX.XXXXN/XX.XXXXW

Where Xs are digits that are part of a physical latitude/longitude and the Ys are part of a 5 character alphanumeric ID.

Being curious, I truncated the latitude/longitude part of the URL and changed the ID by one character.

http://www.example.com/mylocation/?id=YYYYZ

By doing this, I could then see a different user's:

  • physical latitude/longitude location on a map
  • device name (whatever they chose to call it; most people have something like "Harry's GPS")
  • custom pre-set message used while sending their location, if they have one set (ex: "Checking in - I'm safe.")

My question is, does this present a security flaw, and should the company be alerted about this?

My argument for contacting the company would be that seeing other users' physical locations is a blatant flaw; however, that's the entire point of the product - to easily share your location with your family/friends. I also can't see whom the device actually belongs to (name, phone number, username, email, etc.), so the location data is anonymised as far as I can tell.

Lil' Bits
  • 1,153
  • 2
  • 8
  • 9
  • 69
    Go do a search for "responsible disclosure" so that you know the correct way to do this to limit your personal liability. – Moby Disk Jan 10 '17 at 03:16
  • 6
    @MobyDisk Is personal liability an issue here? This is a obvious, blatantly insecure, well-known, sloppy, often occuring issue. I would just demand a recall/refund directly from them and buy a competitors product. You don't have to say that you changed the ID. You can just point out that this is a well known vulnerability –  Jan 10 '17 at 09:29
  • You can consider what benifits you can gain from telling them. Clearly you're not obligated to tell them since you're asking this question. – v7d8dpo4 Jan 10 '17 at 09:41
  • Report it anonymously, if they respond positively you can always disclose your identity later on. If they try to sue or hide the issue you can disclose the vulnerability publicly. – André Borie Jan 10 '17 at 12:55
  • 2
    There is essentially zero probabiliy that they don't already know about this issue -- it's such an obvious feature of the design that even if it's not strictly-speaking intentional it must be a known limitation of the "security" of the product. So almost certainly, you literally *cannot* alert them about the issue. At best you can alert them that you personally have noticed it too. I think that pretty well dismisses any responsibility you might feel to disclose to the manufacturer. You might want to tell the public, if the manufacturer has made false representations about the security. – Steve Jessop Jan 10 '17 at 13:16
  • 43
    @SteveJessop I've encountered programmers who'd code a vulnerability like this without knowing it, and disfunctional code review processes that'd allow it to be deployed. Notifying them might be worthwhile. – ceejayoz Jan 10 '17 at 13:34
  • 45
    @SteveJessop In fact, this happens so often that it is in the OWASP Top Ten - A4 (Insecure Direct Object References) – crovers Jan 10 '17 at 13:35
  • 32
    Can you post a follow up so we can hear the company's response? – Kryten Jan 10 '17 at 15:16
  • 14
    I think that as always, it is important to note that none of these answers, even if they mention legalities and potential issues, constitute legal advice. – J Sargent Jan 10 '17 at 16:47
  • 1
    @JanDoggen Yes. Not a week goes by where I don't see a news story about a security researcher sued for disclosing a security vulnerability. – Moby Disk Jan 10 '17 at 19:02
  • 1
    you could do the other way around, tell them someone else is stalking you after you purchased the device, and that stalker finally admitted to have guessed your user id and you want your money back. – montelof Jan 10 '17 at 21:54
  • @SteveJessop I don't think it's very useful to make such assumptions without backing them up with... something/anything –  Jan 11 '17 at 01:51
  • 6
    Please consider changing URLs to http://www.example.com ? -----.com domain is now not available, but there is no guarantee it''ll stay that way forever, whilst example.com and example.org are supposed to be 100% safe, permanent replacement domains for documentation. – Mołot Jan 11 '17 at 09:49
  • @Mołot I've changed it to `example.com` – Lil' Bits Jan 11 '17 at 14:37
  • 5
    @kryten If I wanted to report it anonymously, I would need to be sure it wouldn't be traceable to me. I'd like to send them this discussion thread also, as it could be useful to them. However, I am wondering if reporting is [worth the possible consequences](http://security.stackexchange.com/a/6370/44995). They're not a big company, but I'd rather not have my stuff raided for some URL manipulation. I'll notify the thread if/when I contact them, and post the response. – Lil' Bits Jan 11 '17 at 14:37
  • how is that device enabled to send data? it has SIM card or what? what should I search to find such devices? – Marian Paździoch Jan 13 '17 at 11:14

10 Answers10

161

Yes, you should notify the problem to the company - with caution.

Update: a shorter, very complete answer was supplied by @crovers. But if you have patience...

...the problem here is not simply the possibility of tracking J. Random Stranger, but rather that:

  • once your ID has been given to someone, apparently you cannot take it back and it does not expire. That person can now follow you everywhere (think "overly attached girlfriend"). Also, that ID may leak. Emails get forwarded by mistake and sometimes the little, easily overseen ... glyph in mail programs covers lots of sensitive information.

  • you don't even need to give it to me. If the IDs are sequential [as commented by @crovers], I can tabulate all of them in very little time, check their position, and easily single out those five or six that are near enough to the position I know you might be in. Tomorrow, other five or six will be near enough a different place you're now in; of those five, maybe two were in the original five, so you must be one of those two. In a comparatively little time I've narrowed my candidates to one: I now have your ID and can stalk you, and you are none the wiser.

  • I may even not know you. The ID can be used to prank total strangers. I just googled a bit and found a couple thousand Facebook users that boasted of their new (NAME OF GPS-RELATED GADGET). I used a very well known brand, so your gadget will have maybe only one hundred people that I can discover easily. A full half of those, I'm confident, will routinely post pictures about where they are (does Facebook purge EXIF GPS information?). In a very little while, one of them that caught my fancy might receive a message stating "How's the weather in Old Nowhereville?" even if he (or she) never said anything to anyone about where he (or she) was, nor even posted anything anywhere. Such pranks - and knowing that some total stranger is apparently interested in you, and always seems to know where you are - can totally ruin your day. And they can totally ruin the company's day, if some pranked people get convinced that their GPS can somehow be "hacked remotely", even if, as in this case, that's not what's happening at all. Yes, I have a sick mind - but I'm not the only one, so you might want to point the company's people to this page - and, to restate another very good point made by @crovers and Arminius, do so anonymously. The potential damage to them is huge, and you're doing them a big favor by pointing this to them. But some companies might have a (knee-)jerk reaction and try to bully you into silence believing this solves something (or even solves the matter entirely); Nobel Prize Richard P. Feynman's "vulnerability disclosure" story makes for a hilarious reading ("That was his solution: I was the danger!").

You're actually helping them.

  • trust me, lots and lots of people would do exactly what you did when seeing "id=XXXXX" in a URL. I would have done it. Depending on the gadget's popularity, I'd wager many others will already have done so. So it's not like you're unleashing a zombie apocalypse over someone which otherwise would have remained safe - you'll probaby simply be the first to have had the conscience of telling them they are not safe at all. Because that's significantly rarer than having the curiosity of changing a ID.

It totally hadn't to be like this.

It is trivially simple, from the company's point of view, to fix this by allowing each user to regenerate a different secret ID on demand any time they choose. And even set an expiration date. And they still could do it now.

A very quick fix could be to proxy their website through a simple filter, connected with a database.

Your new URL is, say, http://www.example.com/mylocation/?id=22b255b332474ae3e7f008cc50ebe3e0&...

or one could translate that to "true.pony.pile.main.jazz.call.mine.soft.pink.rake.jane" to get something more easily remembered or dictated over a phone.

the first four words are somewhat connected to "correct horse battery staple".

The proxy checks in a database and finds that 22b255b332474ae3e7f008cc50ebe3e0 is a valid ID, and is associated to "real" (or "old") id 12345, so it transforms the URL by simply replacing the ID with 12345, sends the request to the true, hidden website, gets the page back, rewrites any 12345's with the original 22b2... stuff, and hey presto!, the external user can see where you are, same page as before, but he has no way of knowing that the true ID is 12345 (and, even if he knew, he'd have no way of getting it through to the system, which now only accepts hashes).

But now, user 12345 can have as many IDs active as the company wants (or sells!), and give one to his mom, one to his SO, and so on. One ID leaks, or he breaks up with his friend -- he invalidates that one ID. It also becomes possible to know how many accesses there have been to each ID, so the snooping can be two-way. Possibly for premium users only :-D. For some IDs, the website may even release randomized information, or low-precision GPS coordinates.

And if you wanted to guess at random a valid ID - well, there are some 2128 of those. If each customer had one hundred disposable IDs (say 27), and the company had one billion customers (say 230), there would still be approximately one possibility over 290 to get a valid ID by trying at random. If that's too little (or if my math happened to be a bit askew), there are larger hashes too.

And the old ID no longer works since you can't reach the original server without the ID you supply getting hashed.

Given the reasonable implementation cost (a couple day's worth for one developer and one QA engineer, and I'm padding heavily), I'm a bit baffled that this wasn't designed in from the start.

LSerni
  • 22,521
  • 4
  • 51
  • 60
  • "It is trivially simple, from the company's point of view, to fix this by allowing each user to regenerate a different secret ID on demand."—I believe the alphanumeric ID in question is regenerated for each update. It's an update ID, not a user ID. – Nick Matteo Jan 09 '17 at 23:56
  • 3
    @kundor, I don't know. It is described as a *5 character alphanumeric id*; that's really not very much even if it's an incremental (and so might become a 32-character alphanumeric id with time). The problem with predictability remains. – LSerni Jan 10 '17 at 08:01
  • 12
    Whether it's an update ID or a user ID, the general principle they've chosen not to follow, is that public-facing IDs should be big enough and (pseudo-)random enough to be unguessable. Public-facing personal information should *also* be revocable/deletable. So even if it is just an update ID, so that the impact is less than stated here, it's still equally annoying that they didn't just do it properly. – Steve Jessop Jan 10 '17 at 13:21
  • 3
    @LSerni - yes, Facebook do purge EXIF data. In general this is something social media & photo sharing sites have historically been very good at for a very long time. They've been eliminating photo metadata for years. – niemiro Jan 10 '17 at 18:52
  • There was once a dating site that had this vulnerability, but worse. You could go to example.com/profile.php?id=xxxxx and edit their profile without even having a paid account. (thanks @Mołot) – Almo Jan 11 '17 at 13:38
  • 1
    Facebook preserves EXIF GPS data and asks if you'd like to tag the location as that found in the image's metadata. It is creepy and annoying. – cat Jan 11 '17 at 14:02
  • 5
    A rapist could look for all the female names, then stalk them until they are in a secluded spot. – Chloe Jan 11 '17 at 17:51
  • @niemiro Though I doubt they did it with the intent under discussion here. They probably rather wanted to get rid of any copyright info and while they're at it remove EXIF altogether to minimize file size while rescaling anyway ;) – Hagen von Eitzen Jan 12 '17 at 07:45
  • 1
    I figure it's only a matter of time before the term "CHBS", pronounced "chubs", is instituted to represent semantically-associated random-dictionary-word passphrase generation. – hBy2Py Jan 12 '17 at 17:15
  • @hBy2Py , you did not google 'xkcd chbs' by any chance? :-) – LSerni Jan 12 '17 at 17:19
  • @LSerni I know that comic well; I didn't know the acronym had gotten standardized already. Oops. :-D – hBy2Py Jan 12 '17 at 17:30
  • @LSerni Interestingly, I ***can't*** Google 'xkcd chbs'. It keeps giving me search results for 'xkcd cubs', even when I click on "Search instead for xkcd chbs". – hBy2Py Jan 12 '17 at 17:31
  • 2
    @Chloe only device names are shown. A smart person will use a generic device name. Most devices will be hard to determine whether they are male or female. In fact, a stalker might have a very hard time. The real issue is someone stalking someone they know or *are already stalking*. And I think the other option... they'll just attack someone randomly. I don't think they need to stalk someone for days. – user64742 Jan 14 '17 at 17:41
115

Yes. They ought to be using a long, unguessable string instead of a predictable, short one.

I would consider this a security flaw that is relatively simple for them to fix.

However, I would caution you - some companies do not handle situations like this very well. Some argue (in my view incorrectly) that changing that id constitutes hacking and they may threaten to sue or have you charged. That is dumb, but I'd advise you to approach them anonymously or via an intermediary.

Check to see if they have a bounty program - (google company name and bug bounty). If they do not, you may want to consider using an intermediary - Zero Day Initiative is one.

Mawg says reinstate Monica
  • 1,368
  • 2
  • 13
  • 26
crovers
  • 6,311
  • 1
  • 19
  • 29
  • 51
    Yes, be very careful! [US courts](https://security.stackexchange.com/a/6368/15392) (re:AT&T) are among those that believe changing the ID is illegal! –  Jan 09 '17 at 22:02
  • 2
    +1 for getting straight to the point on the fix, which to me is relatively uninteresting compared to the greater emphasis on the 'yes, but' about the risk to the reporter of possible reactionary attitudes of the company. The question was 'Should I report this?', not 'How should they have done this?', and so I think this hits the target more succinctly. – underscore_d Jan 10 '17 at 02:15
  • 1
    But wouldn't discovering a security issue and reporting it to the company withoit making use of it count as ethical hacking by definition? – Neinstein Jan 10 '17 at 07:23
  • 47
    @Neinstein When hearing "ethical hacking" some people will hear "ethical" and others will just hear "hacking". – Stig Hemmer Jan 10 '17 at 08:08
  • 12
    @Neinstein: The downside risk for the person doing it revolves around the fact that "ethical hacking" can still be prosecuted, since not everything that is ethical is legal. Being a martyr to the cause of better securiy is a fine and noble thing, but you still shouldn't blunder into it accidentally ;-) – Steve Jessop Jan 10 '17 at 13:26
  • I'd be interested to know how you would approach someone anonymously? Would you simply setup a new email address - it seems many require an address + mobile which make you pretty easy to track down? – Ian Jan 11 '17 at 20:44
  • If hacking is against the law then it's presumably a crime irrespective of what you do after. It probably is ethical hacking but ethical and legal are two different things. Legal, ethical hacking normaly involves either getting permission in advance from the owner of the remote system being hacked, or buying a device and hacking that, so you are hacking your own property. – bdsl Jan 11 '17 at 22:01
  • It could be phrased as "I was playing with my own URL, and noticed that the long/lat being removed did not affect displaying my map [as this is still YOUR id you are entering], and I have a concern that if anyone else entered my id into the URL they would be able to track me". That way, it appears that you're concerned with your own safety. It could also just be phrased as "I noticed my ID, which is a short and predictable value, was in the URL... could this be a security flaw?" – Daevin Jan 12 '17 at 19:03
  • 1
    @drewbenn The AT&T case gets talked about a lot with regards to reporting but to be fair to the US courts while I still think the result was quite wrong, the situation wasn't even remotely similar to reporting a security vulnerability. The case was about abusing an (almost astonishingly similarly stupid) vulnerability for fun and annoyance of others. I would still caution people about reporting since even if I think you'd quite likely prevail on the merits not everyone wants to dump hundreds of hours (and possibly money though ACLU or someone might take up the case) for others security. – DRF Jan 16 '17 at 09:54
44

To add to the other answers - be aware of the risks of reporting the problem yourself:

If you're inexperienced with reporting security issues, you might come across to them as dodgy and potentially malicious. A company that doesn't have experience with handling security issues might forward your report to the company lawyer rather than the IT department. Obviously, you simply want to help, but to them you're mainly causing trouble. Chances are, they don't want the issue to become public (which could cause great harm to their business reputation) and hence they might threaten you with legal consequences. In the worst case they will contact law enforcement without further notice.

Being curious, I truncated the lat/lon part of the URL, and changed the id by one character.

So you didn't find that purely by accident. From the company's perspective you gained access to other customers' data by manipulating the URL - it won't matter to them how easy it was and that you did it "just out of curiosity". They might still see you as a threat and react unprofessionally.

You should be aware of this possible interpretation and decide carefully if it's worth the risk. If you deal with security bugs without a contract or a public policy that encourages bug hunting, you're in a legal grey area.

Arminius
  • 43,922
  • 13
  • 140
  • 136
  • 15
    ...and a *grey area* that has been occasionally enthusiastically cluster-bombed by various companies in the recent past, as others have pointed out :-( – LSerni Jan 10 '17 at 15:17
23

If I were you, I would say something like 

Hello,
I have mistyped my ID (e.g. 12345) and pressed enter instead of backspace,
and I was dumbfounded to find that the page loaded and found 
the location of a stranger who has the ID next to mine (e.g. 12346).
Being able to track someone without their permission
seems to be a security problem, as someone that knows me on Facebook 
with a small bit of IT knowledge would be able to guess my ID without me knowing.

Basically, say you found it not by curiosity but by accident. Also send it pseudo anonymously (e.g. don't use your real id, and mail using something like jon.doe@gmail.com).

Check your mail before sending and maybe make someone you know proof read it.

Read it as if you were anger personified, that might help you smooth it so that you don't let someone that started his day by banging his toe on the bed post let out his anger on you.

If they don't answer, or don't do anything about it for some time say (maybe after a month or 2, as this is a medium security problem) that you would like them to do something about it or you will try to warn other users about this issue. If they still do nothing, do it, but be warned, they might not like it. see this zamfoo case

Insist that if you found it as trivially as this, someone worse might be using for nefarious purposes, and other users might have stumbled on that and be concerned too.

Use common sense so that you appear as a concerned user that stumbled on something weird or a friend of that user, that works too. A little "untruth", a lot of calm and politeness goes a long way to test the waters. If they seem friendly enough, you might say that you are competent (if you are) and can help them track the problem.

If you help them, and they are friendly, you might want to ask them if they want you to actively check other potential problems. (If they have great experience with you that might help you get a job (they can talk about you, how good (friendly but professional) you are etc.. to other people that might want you. Or just serve as a reference), or some friends.)

Also that's an occasion for them to get free advertisement, if they react well, you will probably be inclined to talk about them to people who might be interested.

Whatever you and them do, keep calm, don't escalate quickly, understand their point of view, and DO NOT APPEAR AS A THREAT (1)

If you look like you can damage them more than you would help, it is the quickest way to put them on the defensive, and get lawyer threats/a real case if you did something stupid and didn't cover your grounds.

(1) That works in most cases, not only when talking about security, but also with more or less angry people (coworkers, bosses).

Digression: The only time you may want appear as a threat, is if you are threatned by someone/something confident nothing will oppose them ever (e.g. a very angry dog), calmly walk towards them showing no fear (even if you brown your pants), they will probably start to bark more, but they will slowly back up, and let you pass (or kill/maul you, but if you fled that would be the same).

ps: Be critical of what I say, I'm a dumb human, and I do not own absolute truth, if something appears better, ponder the ideas, do what seems best and see what happens, learn.

(Also feel free to propose edits if that seems too unstructured/long/rambly, I do not bite.)

satibel
  • 433
  • 2
  • 8
  • If you say `I have mistyped my ID (e.g. 12345)` - doesn't that destroy your anonymity? (Because you provide your own ID?) – toogley Jan 12 '17 at 07:07
  • 3
    @toogley "send it pseudo anonymously (e.g. don't use your real id,[...])" – satibel Jan 12 '17 at 07:23
  • 1
    This is one obvious approach, but I can't recommend fudging the truth. Anonymously reporting, yes. – Wildcard Jan 14 '17 at 05:20
  • 2
    Mention the company that you are *concerned* that the fellow identified by `12346` may mistype `12345` and see **my** location – usr-local-ΕΨΗΕΛΩΝ Jan 14 '17 at 13:07
  • I'd send them a message from a one-time email registered through TOR and then publish the vulnerability through TOR if they don't fix it within a few weeks. It's easier to blame the "hacker" than to admit fault, so make sure you're impossible (or, to be precise) very hard to trace. – JonathanReez Jan 16 '17 at 11:47
  • @JonathanReez that is another way to do it, not one that I like as you don't have the benefit of maybe (probably) making good contacts if they are friendly. But if they are too complacent or lazy, it is one you may need to use. note that only few companies will be annoyed if you contact them as a concerned customer, if they are, run away from them. – satibel Jan 16 '17 at 12:27
6

Everyone else seems to be jumping the gun here. The key part to consider is HOW you an end user, share your location with other end users (family/friends).

If you view the information with a link, and are able to send the same link to family members, then there is an assumption that you are posting information publicly (there is no authorization system).

The Privacy Statement or Terms of Use should spell this out. Who can access your location data? What information is provided publicly? It would certainly clarify the question you proposed.

Using a simple web link is not how I would design such a system, but seems completely intentional. I would perhaps suggest you ask them about privacy settings.

dark_st3alth
  • 3,052
  • 8
  • 23
  • 14
    From a strictly legal standpoint you're probably right. But the fact remains that the privacy settings have only one setting, and that's "none". Given that so much value could have been added at so little cost, I find not having already done so, well... *fascinating*. – LSerni Jan 09 '17 at 22:16
  • 1
    Certainly if I was to design it, I would at least have a password such that only certain people you share the password have access. Having no authentication or authorization systems in place is down right ridiculous, if not a significant flaw of thinking. What else do you think they have forgotten? – dark_st3alth Jan 09 '17 at 22:29
  • 5
    I agree that using a link isn't ideal here, but that isn't really the point. Even if a user doesn't share the link, others can access their location. So the answer to your Who and What questions seem to be everyone and everything. I doubt that the device is advertised as such, so this is indeed a security flaw. – tim Jan 10 '17 at 17:36
  • 2
    The assumption however is that by using the service, you are allowing unspecified others to access your location information. This isn't good in practice, but for simplicity sake is very reasonable. *There is no excuse for a lack of privacy controls*, but the user did sign up and start using the service. – dark_st3alth Jan 10 '17 at 21:29
0

This is an interesting question, in most systems I'd consider this an insecure direct reference vulnerability exposing location data.

Real time gps location should be considered sensitive, it could have multiple nefarious uses. In this case though it is the entire point of the system and although i think the IDs should be harder to guess while remaining usable (be alphanumeric for eg) the data isn't identifiable to a specific user. It could also be secured by a password which you supply to users who you wish to grant access.

I don't think this is a security risk as such, just a poor implementation. The question is would you feel your information or privacy was violated if a stranger browsed to your page? If so raise it with the manufacturer.

Edit: - Revised my opinion on this. I would consider this system vulnerable. Identifiers should be harder to guess and ideally password protected.

iainpb
  • 4,142
  • 2
  • 16
  • 35
  • 11
    Consider - if someone knows you have such a device and currently knows your physical location. They can find your device by checking all the ids and finding the device that is currently in your location. From then on, they can always find out. I think this is a security flaw, for certain. – crovers Jan 09 '17 at 21:40
  • 1
    Good point, this would be fairly trivial to script and quickly enumerate too. – iainpb Jan 09 '17 at 21:58
0

This problem occurs because of Direct object reference and easily enumerated IDs. We should not use easily enumerated IDs in any system because it open ups easy guesses to the attacker. If you cant guess IDs then we can reduce the risk of Direct object reference as well. They should some random ID value or a GUID for user to represent a user.

As I think this is a major flow and the company should provide some API where the family/friend Authenticated before they can track you. As @Arminius suggested we cant predict how the product company accept your finding. It is always better to inform this as Anonymous. If not use a Responsible Disclosure template or terms.

user3496510
  • 1,257
  • 2
  • 12
  • 26
-2

It doesn't not represent a flaw. It seems like they feel it's an acceptable risk. I wonder how easy it would be to programmatically cycle through UIDs and collect data that you could reference to identify someone. If they just salted the ID, you could still share it openly, but you couldn't easily cycle through peoples locations.

tim_shane
  • 75
  • 4
  • 2
    Totally concur. Yet I suspect that they did not think the risk business through. It's no great mischief if my location gets leaked, but this can easily lead people to believe that the gadget is *insecure*. Is the cost of salting the ID so much higher than the PR cost of just *one* cry of alarm on a social network? (Which would quickly sprout a dozen "tutorials" by wannabe "l33t crack3rs" - as if we hadn't seen that happen too many times). – LSerni Jan 09 '17 at 22:10
  • Excellent point. A cloud based location tracker shouldn't be reactionary to security concerns. It's a great way to ruin a business. – tim_shane Jan 10 '17 at 00:08
  • 11
    To be clear: do not write and run that hypothetical program. The guy that did that with the AT&T iPad registration system spent a couple years in US **federal prison** as a result. – nobody Jan 10 '17 at 03:10
  • Interesting point. Most companies, for cost reasons, underestimate such privacy issues even when they are aware of. They say "let's not do anything as soon as someone reports. It's risky but fixing is expensive". Only a strong regulatory authority supported by adequate privacy law can force companies to respect the standards. This *sometimes* happens in the EU, but when dealing with small companies it's very difficult that they take action or get sanctioned in time. It's a whole different story when someone say "Whatsapp may leak sensitive data" than "ACME may leak sensitive data" – usr-local-ΕΨΗΕΛΩΝ Jan 14 '17 at 13:12
-2

I recently purchased a satellite communicator that allows me to send a map of my location to friends and family while I'm hiking in the wilderness

Based on the highlighted I think the person has purchased primarily a tracking device that has the primary purpose of frequently updating its location in a publically available and predictable location on the internet so that search and rescue services have free easy access to your location information to assist in your rescue.

I would not be surprised if the device didn't come with a card with the predictable url on it or place to write your ID on it to get the location information with the intention that this card is then handed to search and rescue by your family when you need to be rescued.

If the data was secured it would become much more problematic for search and rescue to gain access. Especially as the device can operate globally and laws being different in different locations it is quite possible that even though family members could provide their login credentials to search and rescue team members they may legally not be allowed to use your credentials to use that service.

A live updated feed of your location is also much more helpful especially in situations where it would take a long time to get to you on foot and the person with the tracker is still roaming around.

The ability to send an email that notifies someone of your current location is a way of checking in. With an absence of check-in emails after x amount of time or at the specific times or at the specific times and locations then it is an indicator to the family member to call search and rescue. This is an inexpensive way of being able to check-in with out purchasing an actual sat phone to check in on while out in the middle of nowhere.

I think they are well aware of it not being secured and also considered it not a risk at all because its the entire point of the product, just as another person had said... it's completely by design.

If you do not want to be tracked, turn the device off and it will no longer update your location info.

JDługosz
  • 1,138
  • 2
  • 7
  • 12
axawire
  • 5
  • 2
  • This is a security site. And no, "usable in wilderness" does not imply "should be public facing." Satellite communication is a *necessity* for connectivity in the wilderness. That doesn't imply anything at all about the way the connection should be assumed to be used by customers. – Wildcard Jan 14 '17 at 05:23
-4

Sounds like this is how the product was designed. It uses a UID + LAT/LONG to share your location with people...so you're basically saying you discovered how the product was designed. No flaw there. Should they maybe implement a security system where you need a PIN or something to access the location data? sure. But if the whole point of the product is to share your location, then you just discovered the short way to see other people's location, which is...wait for it...what it was designed to do.

If you want, submit a feature request and say "hey you should use PINs or something because anyone can see someone else's location, etc" but otherwise, this doesn't seem like a flaw based on what you described.

Evan R.
  • 101
  • 1
  • 9
    Other answers cover the flaws in this: just because you want to share your location now doesn't imply you want to share it *forever*, and just because you want to share your location with one person doesn't mean you want to share it with *everyone*. Saying that this isn't a security flaw because it's designed to share location data is kinda like saying an issue where you could view any other user's Dropbox files isn't a flaw in Dropbox, since it's a service designed for sharing files. – Xiong Chiamiov Jan 09 '17 at 23:52
  • @XiongChiamiov right...which is why I, as well as others, suggested a password/PIN. I never said it was the best way to do what they're doing, just like two tin cans + string probably isn't the best way to communicate over long distance. It works for what they wanted, but isn't the most secure/optimal way to do it. – Evan R. Jan 10 '17 at 00:47
  • Judging from OP, it seems like it doesn't need the LAT/LONG to function- just the UID seems to give the location on a map (i.e. LAT/LONG is pulled in the backend and then populated in, likely to feed data into the frontend so the frontend can figure out showing the map correctly). – Delioth Jan 12 '17 at 19:29