Maria Montero

A family tracking app was leaking location data on …

A popular family tracker app was filtering the real-time locations of more than 238,000 users for weeks after the developer left a server exposed without a password.

The app, Family Locator, built by the Australian software house React Apps, allows families to track each other in real time, such as spouses or parents who want to know where their children are. It also allows users to set up geofenced alerts to send a notification when a family member enters or leaves a certain location, such as school or work.

But the background MongoDB database was left unprotected and accessible by anyone who knew where to look.

Sanyam Jain, a security researcher and member of the GDI Foundation, found the database and reported the findings to TechCrunch.

Based on a review of the database, each account record contained the user’s name, email address, profile photo, and their plain text passwords. Each account also kept track of their own and other family members’ real-time locations, accurate to just a few feet. Any user who had a geofence setting also had those coordinates stored in the database, along with what the user called them, such as “home” or “work.”

None of the data was encrypted.

TechCrunch verified the content of the database by downloading the application and registering using a fictitious email address. Within seconds, our real-time location appeared as precise coordinates in the database.

We contacted a random app user who, although shocked and shocked by the findings, confirmed to TechCrunch that the coordinates found in his log were accurate. The Florida user, who did not want to be identified, said the database was the location of his business. The user also confirmed that a family member listed on the app was his son, a student from a nearby high school.

Other records we reviewed also included the real-time locations of parents and their children.

TechCrunch spent a week trying to contact the developer, React Apps, to no avail. The company’s website had no contact information, nor did its privacy policy. The website had a privacy-enabled hidden WHOIS record, which concealed the owner’s email address. We even purchased the company’s business records from the Australian Securities and Investments Commission, just to know the name of the business owner, Sandip Mann Singh, but not the contact information. We sent several messages through the company feedback form, but we did not receive any recognition.

On Friday, we asked Microsoft, which was hosting the database in its Azure cloud, to contact the developer. Hours later, the database was finally taken offline.

It is not known exactly how long the database was exposed. Singh has yet to acknowledge the data leak.