Hacker News new | comments | ask | show | jobs | submit login

> and provide any additional context

Any context at all would be appreciated. The Krebs article mentions almost no context whatsoever about the bug except that you found an unauthenticated API.

Can you give some details about the API?

• Did you need to exploit SS7 flaws?

• Did you reuse some kind of nonce or session auth token, or was there no security whatsoever?

• Did it take phone numbers, hashes of phone numbers, bulk queries, etc.?

• Can we see example output data that you collected from the API?

• Did you notice the API endpoint in the devtools network tab, or did you have to dig much deeper?

You should do a write-up on the issue you found.

Thanks! I just finished the writeup, posted here: https://www.robertxiao.ca/hacking/locationsmart/

In short: it was a fairly straightforward modification of the usual API flow, to omit the secondary API call that requests consent, then request a JSON location payload instead of an XML payload. For whatever reason, that bypassed the usual consent check and just dumped the phone's location.

Man I got here once the link had already changed and your write up is concise and tells all of the necessary information versus the Krebs article which is way too long and really doesn't say much useful. Thanks!

Thanks, your write-up is very informative! I think the HN staff should change the URL to your post.

Changed. Thanks for emailing us! We wouldn't have seen this otherwise.

(Submitted url was https://krebsonsecurity.com/2018/05/tracking-firm-locationsm...)

When I read this I just started cackling like a mental patient.

The first thing that comes to mind is if this is on a well known framework, I want to know because those security defaults are awful.

However if these guys rolled their own API auth system and messed up something this simple, or deliberately modified framework defaults... I can't even imagine what conversations happened at their offices this morning.

> JSON location payload instead of an XML payload. For whatever reason, that bypassed the usual consent check

To me that sounds like you stumbled upon an unauthenticated development/debug mode.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact