Unsecured MongoDB database exposes real-time locations of families

For the second time this month, an unprotected MongoDB database is at fault for a massive security breach of sensitive information

Database graphic

The popular family tracking app Family Locator has for weeks exposed the real-time unencrypted location data of over 238,000 of its users.

The app which closely resembles the functionality of Apple's 'Find My Friends' app, allows users to track family members and set up geofencing features which notify users when a family member, leaves work or arrives at school, for example.

Not for the first time this month, the data was left exposed thanks to an unprotected MongoDB database which allowed anyone who knew the exact details of the server to access the information, according to TechCrunch.

The exposed database was found by Sanyam Jain, a security researcher and a member of the GDI Foundation, a non-profit which detects and analyses criminal opportunities and shares them publicly.

None of the data found on the database was encrypted: name, email address, profile photo and plaintext passwords were easily accessible and geofenced locations were visible along with the assigned name. It would be effortless to not only know the user's location but also where they lived, worked and where their children were schooled.

"Unfortunately, this is yet another case where unprofessional handling of technology has led to data leakage," said Boris Cipot, senior security engineer at Synopsys.

"A serious misconduct such as this should not happen but, as we often see, they do and usually they happen if and when security procedures are not implemented correctly or disregarded," he said. "Security should not be taken lightly especially when you are working with data that someone entrusted you with." 

The developer of Family Locator React Apps has been unresponsive to approaches from the media. TechCrunch tried to contact the company for over a week but its website had no contact information and the record from the Australian Securities and Investments Commission returned only a name of the company's owner.

The database was later pulled offline by Microsoft as it was hosted on its Azure cloud but it's unknown for how long the database was left exposed.

"It's scary that an application designed to keep families safe and allow parents to monitor the whereabouts of their children is actually leaving data unprotected and accessible by anyone," said Winston Bond, senior technical director EMEA at Arxan Technologies.

"We stress the importance of application security every day but unfortunately, unless everything the app is connected to is also secure, there is still a danger posed to consumers. It is vital that when an application is being developed, the building process and the security process should go together -- neither security nor data protection should be an afterthought, or even worse, ignored altogether."

MongoDB earlier this month was at fault for another data breach; researcher Bob Diachenko discovered the unprotected database containing 809 million email records, many of which contained personally identifiable information.

Matters got worse when security company DynaRisk confirmed that the number of leaked records was actually three times higher than first thought, the real number stood at over two billion.

Most records contained surnames, email addresses, gender information, postcode and IP addresses for each entry. The records were cross-checked with the popular HaveIBeenPwned website which showed the data had not been previously found in a data breach, meaning this discovery was new and the affected people had not been the subject of a data breach previously.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021