Any context at all would be appreciated. The Krebs article mentions almost no context whatsoever about the bug except that you found an unauthenticated API.
Can you give some details about the API?
• Did you need to exploit SS7 flaws?
• Did you reuse some kind of nonce or session auth token, or was there no security whatsoever?
• Did it take phone numbers, hashes of phone numbers, bulk queries, etc.?
• Can we see example output data that you collected from the API?
• Did you notice the API endpoint in the devtools network tab, or did you have to dig much deeper?
You should do a write-up on the issue you found.
In short: it was a fairly straightforward modification of the usual API flow, to omit the secondary API call that requests consent, then request a JSON location payload instead of an XML payload. For whatever reason, that bypassed the usual consent check and just dumped the phone's location.
(Submitted url was https://krebsonsecurity.com/2018/05/tracking-firm-locationsm...)
The first thing that comes to mind is if this is on a well known framework, I want to know because those security defaults are awful.
However if these guys rolled their own API auth system and messed up something this simple, or deliberately modified framework defaults... I can't even imagine what conversations happened at their offices this morning.
To me that sounds like you stumbled upon an unauthenticated development/debug mode.