Unsecured MongoDB database exposes real-time locations of families

For the second time this month, an unprotected MongoDB database is at fault for a massive security breach of sensitive information

Database graphic

The popular family tracking app Family Locator has for weeks exposed the real-time unencrypted location data of over 238,000 of its users.

The app which closely resembles the functionality of Apple's 'Find My Friends' app, allows users to track family members and set up geofencing features which notify users when a family member, leaves work or arrives at school, for example.

Advertisement - Article continues below

Not for the first time this month, the data was left exposed thanks to an unprotected MongoDB database which allowed anyone who knew the exact details of the server to access the information, according to TechCrunch.

The exposed database was found by Sanyam Jain, a security researcher and a member of the GDI Foundation, a non-profit which detects and analyses criminal opportunities and shares them publicly.

None of the data found on the database was encrypted: name, email address, profile photo and plaintext passwords were easily accessible and geofenced locations were visible along with the assigned name. It would be effortless to not only know the user's location but also where they lived, worked and where their children were schooled.

"Unfortunately, this is yet another case where unprofessional handling of technology has led to data leakage," said Boris Cipot, senior security engineer at Synopsys.

Advertisement - Article continues below

"A serious misconduct such as this should not happen but, as we often see, they do and usually they happen if and when security procedures are not implemented correctly or disregarded," he said. "Security should not be taken lightly especially when you are working with data that someone entrusted you with." 

Advertisement - Article continues below

The developer of Family Locator React Apps has been unresponsive to approaches from the media. TechCrunch tried to contact the company for over a week but its website had no contact information and the record from the Australian Securities and Investments Commission returned only a name of the company's owner.

The database was later pulled offline by Microsoft as it was hosted on its Azure cloud but it's unknown for how long the database was left exposed.

"It's scary that an application designed to keep families safe and allow parents to monitor the whereabouts of their children is actually leaving data unprotected and accessible by anyone," said Winston Bond, senior technical director EMEA at Arxan Technologies.

"We stress the importance of application security every day but unfortunately, unless everything the app is connected to is also secure, there is still a danger posed to consumers. It is vital that when an application is being developed, the building process and the security process should go together -- neither security nor data protection should be an afterthought, or even worse, ignored altogether."

Advertisement - Article continues below

MongoDB earlier this month was at fault for another data breach; researcher Bob Diachenko discovered the unprotected database containing 809 million email records, many of which contained personally identifiable information.

Matters got worse when security company DynaRisk confirmed that the number of leaked records was actually three times higher than first thought, the real number stood at over two billion.

Most records contained surnames, email addresses, gender information, postcode and IP addresses for each entry. The records were cross-checked with the popular HaveIBeenPwned website which showed the data had not been previously found in a data breach, meaning this discovery was new and the affected people had not been the subject of a data breach previously.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now

Most Popular

Server & storage

Dell EMC PowerEdge R7525 review: An EPYC core density to make Intel weep

26 May 2020
Network & Internet

Intel releases Wi-Fi and Bluetooth driver updates for Windows 10

26 May 2020
Microsoft Windows

Microsoft's latest Windows 10 update is causing yet more issues

26 May 2020