TransWikia.com

Should I contact the manufacturer if their product allows access to other users' location information?

Information Security Asked by Lil' Bits on November 25, 2021

I recently purchased a satellite communicator that allows me to send a map of my location to friends and family while I’m hiking in the wilderness.

While testing out my product, I noticed that the url was constructed as so:

http://www.example.com/mylocation/?id=YYYYY/XX.XXXXN/XX.XXXXW

Where Xs are digits that are part of a physical latitude/longitude and the Ys are part of a 5 character alphanumeric ID.

Being curious, I truncated the latitude/longitude part of the URL and changed the ID by one character.

http://www.example.com/mylocation/?id=YYYYZ

By doing this, I could then see a different user’s:

  • physical latitude/longitude location on a map
  • device name (whatever they chose to call it; most people have something like “Harry’s GPS”)
  • custom pre-set message used while sending their location, if they have one set (ex: “Checking in – I’m safe.”)

My question is, does this present a security flaw, and should the company be alerted about this?

My argument for contacting the company would be that seeing other users’ physical locations is a blatant flaw; however, that’s the entire point of the product – to easily share your location with your family/friends. I also can’t see whom the device actually belongs to (name, phone number, username, email, etc.), so the location data is anonymised as far as I can tell.

10 Answers

I recently purchased a satellite communicator that allows me to send a map of my location to friends and family while I'm hiking in the wilderness

Based on the highlighted I think the person has purchased primarily a tracking device that has the primary purpose of frequently updating its location in a publically available and predictable location on the internet so that search and rescue services have free easy access to your location information to assist in your rescue.

I would not be surprised if the device didn't come with a card with the predictable url on it or place to write your ID on it to get the location information with the intention that this card is then handed to search and rescue by your family when you need to be rescued.

If the data was secured it would become much more problematic for search and rescue to gain access. Especially as the device can operate globally and laws being different in different locations it is quite possible that even though family members could provide their login credentials to search and rescue team members they may legally not be allowed to use your credentials to use that service.

A live updated feed of your location is also much more helpful especially in situations where it would take a long time to get to you on foot and the person with the tracker is still roaming around.

The ability to send an email that notifies someone of your current location is a way of checking in. With an absence of check-in emails after x amount of time or at the specific times or at the specific times and locations then it is an indicator to the family member to call search and rescue. This is an inexpensive way of being able to check-in with out purchasing an actual sat phone to check in on while out in the middle of nowhere.

I think they are well aware of it not being secured and also considered it not a risk at all because its the entire point of the product, just as another person had said... it's completely by design.

If you do not want to be tracked, turn the device off and it will no longer update your location info.

Answered by axawire on November 25, 2021

If I were you, I would say something like

Hello,
I have mistyped my ID (e.g. 12345) and pressed enter instead of backspace,
and I was dumbfounded to find that the page loaded and found 
the location of a stranger who has the ID next to mine (e.g. 12346).
Being able to track someone without their permission
seems to be a security problem, as someone that knows me on Facebook 
with a small bit of IT knowledge would be able to guess my ID without me knowing.

Basically, say you found it not by curiosity but by accident. Also send it pseudo anonymously (e.g. don't use your real id, and mail using something like [email protected]).

Check your mail before sending and maybe make someone you know proof read it.

Read it as if you were anger personified, that might help you smooth it so that you don't let someone that started his day by banging his toe on the bed post let out his anger on you.

If they don't answer, or don't do anything about it for some time say (maybe after a month or 2, as this is a medium security problem) that you would like them to do something about it or you will try to warn other users about this issue. If they still do nothing, do it, but be warned, they might not like it. see this zamfoo case

Insist that if you found it as trivially as this, someone worse might be using for nefarious purposes, and other users might have stumbled on that and be concerned too.

Use common sense so that you appear as a concerned user that stumbled on something weird or a friend of that user, that works too. A little "untruth", a lot of calm and politeness goes a long way to test the waters. If they seem friendly enough, you might say that you are competent (if you are) and can help them track the problem.

If you help them, and they are friendly, you might want to ask them if they want you to actively check other potential problems. (If they have great experience with you that might help you get a job (they can talk about you, how good (friendly but professional) you are etc.. to other people that might want you. Or just serve as a reference), or some friends.)

Also that's an occasion for them to get free advertisement, if they react well, you will probably be inclined to talk about them to people who might be interested.

Whatever you and them do, keep calm, don't escalate quickly, understand their point of view, and DO NOT APPEAR AS A THREAT (1)

If you look like you can damage them more than you would help, it is the quickest way to put them on the defensive, and get lawyer threats/a real case if you did something stupid and didn't cover your grounds.

(1) That works in most cases, not only when talking about security, but also with more or less angry people (coworkers, bosses).

Digression: The only time you may want appear as a threat, is if you are threatned by someone/something confident nothing will oppose them ever (e.g. a very angry dog), calmly walk towards them showing no fear (even if you brown your pants), they will probably start to bark more, but they will slowly back up, and let you pass (or kill/maul you, but if you fled that would be the same).

ps: Be critical of what I say, I'm a dumb human, and I do not own absolute truth, if something appears better, ponder the ideas, do what seems best and see what happens, learn.

(Also feel free to propose edits if that seems too unstructured/long/rambly, I do not bite.)

Answered by satibel on November 25, 2021

This problem occurs because of Direct object reference and easily enumerated IDs. We should not use easily enumerated IDs in any system because it open ups easy guesses to the attacker. If you cant guess IDs then we can reduce the risk of Direct object reference as well. They should some random ID value or a GUID for user to represent a user.

As I think this is a major flow and the company should provide some API where the family/friend Authenticated before they can track you. As @Arminius suggested we cant predict how the product company accept your finding. It is always better to inform this as Anonymous. If not use a Responsible Disclosure template or terms.

Answered by user3496510 on November 25, 2021

Sounds like this is how the product was designed. It uses a UID + LAT/LONG to share your location with people...so you're basically saying you discovered how the product was designed. No flaw there. Should they maybe implement a security system where you need a PIN or something to access the location data? sure. But if the whole point of the product is to share your location, then you just discovered the short way to see other people's location, which is...wait for it...what it was designed to do.

If you want, submit a feature request and say "hey you should use PINs or something because anyone can see someone else's location, etc" but otherwise, this doesn't seem like a flaw based on what you described.

Answered by Evan R. on November 25, 2021

To add to the other answers - be aware of the risks of reporting the problem yourself:

If you're inexperienced with reporting security issues, you might come across to them as dodgy and potentially malicious. A company that doesn't have experience with handling security issues might forward your report to the company lawyer rather than the IT department. Obviously, you simply want to help, but to them you're mainly causing trouble. Chances are, they don't want the issue to become public (which could cause great harm to their business reputation) and hence they might threaten you with legal consequences. In the worst case they will contact law enforcement without further notice.

Being curious, I truncated the lat/lon part of the URL, and changed the id by one character.

So you didn't find that purely by accident. From the company's perspective you gained access to other customers' data by manipulating the URL - it won't matter to them how easy it was and that you did it "just out of curiosity". They might still see you as a threat and react unprofessionally.

You should be aware of this possible interpretation and decide carefully if it's worth the risk. If you deal with security bugs without a contract or a public policy that encourages bug hunting, you're in a legal grey area.

Answered by Arminius on November 25, 2021

It doesn't not represent a flaw. It seems like they feel it's an acceptable risk. I wonder how easy it would be to programmatically cycle through UIDs and collect data that you could reference to identify someone. If they just salted the ID, you could still share it openly, but you couldn't easily cycle through peoples locations.

Answered by tim_shane on November 25, 2021

Everyone else seems to be jumping the gun here. The key part to consider is HOW you an end user, share your location with other end users (family/friends).

If you view the information with a link, and are able to send the same link to family members, then there is an assumption that you are posting information publicly (there is no authorization system).

The Privacy Statement or Terms of Use should spell this out. Who can access your location data? What information is provided publicly? It would certainly clarify the question you proposed.

Using a simple web link is not how I would design such a system, but seems completely intentional. I would perhaps suggest you ask them about privacy settings.

Answered by dark_st3alth on November 25, 2021

Yes, you should notify the problem to the company - with caution.

Update: a shorter, very complete answer was supplied by @crovers. But if you have patience...

...the problem here is not simply the possibility of tracking J. Random Stranger, but rather that:

  • once your ID has been given to someone, apparently you cannot take it back and it does not expire. That person can now follow you everywhere (think "overly attached girlfriend"). Also, that ID may leak. Emails get forwarded by mistake and sometimes the little, easily overseen ... glyph in mail programs covers lots of sensitive information.

  • you don't even need to give it to me. If the IDs are sequential [as commented by @crovers], I can tabulate all of them in very little time, check their position, and easily single out those five or six that are near enough to the position I know you might be in. Tomorrow, other five or six will be near enough a different place you're now in; of those five, maybe two were in the original five, so you must be one of those two. In a comparatively little time I've narrowed my candidates to one: I now have your ID and can stalk you, and you are none the wiser.

  • I may even not know you. The ID can be used to prank total strangers. I just googled a bit and found a couple thousand Facebook users that boasted of their new (NAME OF GPS-RELATED GADGET). I used a very well known brand, so your gadget will have maybe only one hundred people that I can discover easily. A full half of those, I'm confident, will routinely post pictures about where they are (does Facebook purge EXIF GPS information?). In a very little while, one of them that caught my fancy might receive a message stating "How's the weather in Old Nowhereville?" even if he (or she) never said anything to anyone about where he (or she) was, nor even posted anything anywhere. Such pranks - and knowing that some total stranger is apparently interested in you, and always seems to know where you are - can totally ruin your day. And they can totally ruin the company's day, if some pranked people get convinced that their GPS can somehow be "hacked remotely", even if, as in this case, that's not what's happening at all. Yes, I have a sick mind - but I'm not the only one, so you might want to point the company's people to this page - and, to restate another very good point made by @crovers and Arminius, do so anonymously. The potential damage to them is huge, and you're doing them a big favor by pointing this to them. But some companies might have a (knee-)jerk reaction and try to bully you into silence believing this solves something (or even solves the matter entirely); Nobel Prize Richard P. Feynman's "vulnerability disclosure" story makes for a hilarious reading ("That was his solution: I was the danger!").

You're actually helping them.

  • trust me, lots and lots of people would do exactly what you did when seeing "id=XXXXX" in a URL. I would have done it. Depending on the gadget's popularity, I'd wager many others will already have done so. So it's not like you're unleashing a zombie apocalypse over someone which otherwise would have remained safe - you'll probaby simply be the first to have had the conscience of telling them they are not safe at all. Because that's significantly rarer than having the curiosity of changing a ID.

It totally hadn't to be like this.

It is trivially simple, from the company's point of view, to fix this by allowing each user to regenerate a different secret ID on demand any time they choose. And even set an expiration date. And they still could do it now.

A very quick fix could be to proxy their website through a simple filter, connected with a database.

Your new URL is, say, http://www.example.com/mylocation/?id=22b255b332474ae3e7f008cc50ebe3e0&...

or one could translate that to "true.pony.pile.main.jazz.call.mine.soft.pink.rake.jane" to get something more easily remembered or dictated over a phone.

the first four words are somewhat connected to "correct horse battery staple".

The proxy checks in a database and finds that 22b255b332474ae3e7f008cc50ebe3e0 is a valid ID, and is associated to "real" (or "old") id 12345, so it transforms the URL by simply replacing the ID with 12345, sends the request to the true, hidden website, gets the page back, rewrites any 12345's with the original 22b2... stuff, and hey presto!, the external user can see where you are, same page as before, but he has no way of knowing that the true ID is 12345 (and, even if he knew, he'd have no way of getting it through to the system, which now only accepts hashes).

But now, user 12345 can have as many IDs active as the company wants (or sells!), and give one to his mom, one to his SO, and so on. One ID leaks, or he breaks up with his friend -- he invalidates that one ID. It also becomes possible to know how many accesses there have been to each ID, so the snooping can be two-way. Possibly for premium users only :-D. For some IDs, the website may even release randomized information, or low-precision GPS coordinates.

And if you wanted to guess at random a valid ID - well, there are some 2128 of those. If each customer had one hundred disposable IDs (say 27), and the company had one billion customers (say 230), there would still be approximately one possibility over 290 to get a valid ID by trying at random. If that's too little (or if my math happened to be a bit askew), there are larger hashes too.

And the old ID no longer works since you can't reach the original server without the ID you supply getting hashed.

Given the reasonable implementation cost (a couple day's worth for one developer and one QA engineer, and I'm padding heavily), I'm a bit baffled that this wasn't designed in from the start.

Answered by LSerni on November 25, 2021

Yes. They ought to be using a long, unguessable string instead of a predictable, short one.

I would consider this a security flaw that is relatively simple for them to fix.

However, I would caution you - some companies do not handle situations like this very well. Some argue (in my view incorrectly) that changing that id constitutes hacking and they may threaten to sue or have you charged. That is dumb, but I'd advise you to approach them anonymously or via an intermediary.

Check to see if they have a bounty program - (google company name and bug bounty). If they do not, you may want to consider using an intermediary - Zero Day Initiative is one.

Answered by crovers on November 25, 2021

This is an interesting question, in most systems I'd consider this an insecure direct reference vulnerability exposing location data.

Real time gps location should be considered sensitive, it could have multiple nefarious uses. In this case though it is the entire point of the system and although i think the IDs should be harder to guess while remaining usable (be alphanumeric for eg) the data isn't identifiable to a specific user. It could also be secured by a password which you supply to users who you wish to grant access.

I don't think this is a security risk as such, just a poor implementation. The question is would you feel your information or privacy was violated if a stranger browsed to your page? If so raise it with the manufacturer.

Edit: - Revised my opinion on this. I would consider this system vulnerable. Identifiers should be harder to guess and ideally password protected.

Answered by iainpb on November 25, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP