
A family tracking app was leaking real-time location data - s1512783
https://techcrunch.com/2019/03/23/family-tracking-location-leak/
======
okmokmz
>TechCrunch spent a week trying to contact the developer, React Apps, to no
avail. The company’s website had no contact information — nor did its bare-
bones privacy policy. The website had a privacy-enabled hidden WHOIS record,
masking the owner’s email address. We even bought the company’s business
records from the Australian Securities & Investments Commission, only to learn
the company owner’s name — Sandip Mann Singh — but no contact information. We
sent several messages through the company’s feedback form, but received no
acknowledgement.

And people trust this with the real time location data of their children so
they can keep them "safe". Absolutely ridiculous

------
unixpickle
Not the first time someone left a MongoDB database exposed to the wild, and it
won't be the last. It's an easy thing to do, especially since MongoDB is so
popular for small single-server projects.

A few years ago, I discovered the open MongoDB database of an educational
website called Kaizena, which we were using in my high school English class.
When I reported the problem to them, they quickly fixed it (probably with some
iptables hack). They even wrote a blog post [1] about fixing it, where they
claimed they added "additional firewalls to the database". More like _one_
firewall.

As a side note, Kaizena also had another security bug where their API would
return JSON payloads that had private information in it (e.g. the voice
feedback for other students' work). I reported it years ago, but who knows if
it's fixed.

[1] [https://blog.kaizena.com/post/68627783859/a-note-on-
security](https://blog.kaizena.com/post/68627783859/a-note-on-security)

~~~
darkarmani
For many years Mongo would not allow you to use only Unix Domain sockets. It
would always create a TCP socket as well, making it harder to secure, and
nearly impossible to secure against other processes running on the server.

[https://stackoverflow.com/questions/21421410/how-to-
disable-...](https://stackoverflow.com/questions/21421410/how-to-disable-
mongodb-tcp-port)

------
jmull
As bad as it is, I can understand accidentally leaving a database accessible
(they generally _need_ to be accessible and setting just the right amount of
accessible can be complex).

But this:

> ...plaintext passwords...

Why, oh why, store plaintext passwords?!?

~~~
glvn
I can sort of see why and it's for the same reason databases are left wide
open.

You start a project. You set up a DB with minimal security because you're just
starting the project, and you figure that down the road before you release to
the public, you will secure that DB.

A few weeks/months pass and you are ready to release your app into the wild.
But by that time you are focused on other things and that unsecured DB is
forgotten because it has "just worked" since that initial setup. You release
and sometime later something like this happens because that DB never got the
attention to security it needed because it "just worked" and was forgotten.

Don't get me wrong this is still very bad. But I can see how an unsecured
server/plaintext passwords happen. It's not by design b but rather a shortcut
you took way back when that you have since completely forgotten about.

~~~
jmull
The password still has to get into the database... something passes it to an
insert query or request. It just needs to hash the password on its way
through. Let’s see:

* identify a hashing library * install/import it * call it (when storing the password and when comparing)

It’s a matter of minutes really.

------
cyberfart
> We contacted one app user at random who, albeit surprised and startled by
> the findings, confirmed to TechCrunch that the coordinates found under their
> record were accurate.

So they accessed the database as well as personal information of users? Is
this not a crime whether or not the database was unprotected?

~~~
macintux
In the eyes of the law (or at least the courts), journalists have broader
latitude in the course of investigative reporting.

~~~
cyberfart
Yes but until that's decided in court, is this not confessing to a crime?

~~~
brewdad
Until that's decided in court, there is no crime only actions that may or may
not be legal.

------
napolux
Are this kind of apps really a thing?

~~~
ryandvm
I'm curious about the demographics of someone that would ask such a question
(in such a manner). I suspect you do not have children, or at least not
teenage ones. I recall that I used to hold much stronger (and different)
opinions about child-rearing _before_ I had children of my own.

I constantly struggle with balance between keeping my children safe and
allowing them agency and the development of personal responsibility. Among
other things, this ranges over such topics as location tracking, internet
filtering, browser history, screen-time, etc.

I will absolutely admit that much of this sounds like the stuff that
repressive governments engage in, but then again, my children are not full
citizens. They are developing human beings that require a certain degree of
protection.

Are you only opposed to location tracking? What level of "nanny-state" do
think is acceptable in a household setting?

~~~
okmokmz
As someone with extremely overbearing helicopter parents that now has a lot of
issues that I have been working through over time with a therapist, please
don't surveil and micromanage your children. It ultimately led to a lot of
distrust of authority, anxiety, depression, social isolation, making worse
choices in attempts to circumvent security controls and attempt to have
control over my life, and other long lasting negative effects. I can guarantee
that anything you implement (gps tracking, cameras, filters, logs) will be
easily identified and bypassed, causing distrust and potentially even less
safe decisions/scenarios.

------
bobbydreamer
We should let google do it and give us the details, they do it better as they
have already invested a lot in it, doing it and keeping it as secret or FB do
it. Basically an Android app asking other person to accept to track their
location and send it to other person when they want it. It should be that
simple.

------
apayan
Shameless plug: I've built a family location sharing app that uses end-to-end
encryption, so you don't have to worry about this sort of data leak (or any
other). It's available for iOS and Android. (It's in beta, but quite
functional).

[https://www.zood.xyz](https://www.zood.xyz)

~~~
symlock
Very Interested, but what markers are there for me to trust you/your company?
Is it Open Source? Have you been around for long? Are you audited? Is there a
sustainable business model?

The [https://www.zood.xyz/products/location#about-zood-
location](https://www.zood.xyz/products/location#about-zood-location) page
doesn't really say anything other than you promise you are doing what you say
(and you probably are).

~~~
apayan
Fair question. As of this writing, there isn't anything to trust me short of
sniffing all the packets coming out of the phone and/or decompiling the APK.

While in beta, I'm not charging, but in order to align my interests with those
of users I will be charging for it once I'm done beta testing. So far I've
only been testing with family and close friends.

The app isn't currently open source, but I want to find a license model that
will let folks see the source code while still preventing someone from forking
it and running their own instance of my company. As you noted, this needs to
be a sustainable endeavor, and I think that would be unlikely if I just
release it all under MIT or BSD-3

It's too early for an audit (and I don't have the money for one yet), but I'm
using libsodium for the crypto so there's no need to worry about me writing my
own bad crypto primitves.

The website is sparse, because the current audience for it is my family and
friends who I've contacted about helping me with the beta testing. I intend to
flesh out the site a lot more before I come out of beta.

~~~
ocdtrekkie
You could do a reference source-type thing, where it isn't open source and
using your source is prohibited, but people can browse it for specified
purposes, such as auditing security issues:
[https://en.wikipedia.org/wiki/Shared_Source_Initiative#Restr...](https://en.wikipedia.org/wiki/Shared_Source_Initiative#Restricted_licenses)

Copyleft open source licenses only help you so much, people can still clone
your company as long as their version is also open source. There's no way to
prohibit corporate use of your code and still have an OSI-approved license.

The spot that kinda falls between those two classes is if you want people to
be able to fork or self-host for personal/non-commercial use, and there's a
few also not open source license examples out there for that too. There's a
couple of that sort listed under [https://en.wikipedia.org/wiki/Source-
available_software](https://en.wikipedia.org/wiki/Source-available_software)
(Commons Clause or Mega Limited Code Review sound fairly similar to what you
might want.)

~~~
apayan
Despite being a big fan of copyleft, the "source available" license sounds
like the right direction for Zood. Thanks for that link. I had not heard about
Commons Clause or Mega Limited Code Review. I'll dig into it those.

