Unprotected MongoDB database leaks real-time locations of over 238,000 ‘Family Locator’ app users

  • This app allows families to track the locations of other family members.
  • The misconfigured database also contained account records of each user.

A popular family tracking app, Family Locator, was found leaking the real-time locations of more than 238,000 users for weeks after a server was left exposed without a password. The app is built by an Australia-based software company React Apps.

The big picture - According to Sanyam Jain, a security researcher and member of GDI foundation, the unprotected server was running a MongoDB database that stored the real-time location and other significant details of users.

This allowed families to track the locations of other family members. The app also enabled users to set up geofenced alerts to send a notification when a family member enters or leaves a location. Any user who had a geofence set up had coordinates stored in the database such as ‘home’ or ‘work’.

What type of data was exposed - Based on the investigation, it has been found that the misconfigured MongoDB database contained account records of each user. Each account included a user’s name, email address, profile photo, and plaintext passwords. None of this data was encrypted.

What has been done till now: Upon learning about the incident, TechCrunch tried contacting React Apps to inform the developers about the issue. However, there was no response from the company.

On March 22, 2019, Microsoft, which hosted the database on its Azure cloud, was asked to take immediate actions. The unsecured database is no more available on the internet.