Hacker News new | comments | show | ask | jobs | submit login

Thanks! I just finished the writeup, posted here: https://www.robertxiao.ca/hacking/locationsmart/

In short: it was a fairly straightforward modification of the usual API flow, to omit the secondary API call that requests consent, then request a JSON location payload instead of an XML payload. For whatever reason, that bypassed the usual consent check and just dumped the phone's location.




Man I got here once the link had already changed and your write up is concise and tells all of the necessary information versus the Krebs article which is way too long and really doesn't say much useful. Thanks!


Thanks, your write-up is very informative! I think the HN staff should change the URL to your post.


Changed. Thanks for emailing us! We wouldn't have seen this otherwise.

(Submitted url was https://krebsonsecurity.com/2018/05/tracking-firm-locationsm...)


When I read this I just started cackling like a mental patient.

The first thing that comes to mind is if this is on a well known framework, I want to know because those security defaults are awful.

However if these guys rolled their own API auth system and messed up something this simple, or deliberately modified framework defaults... I can't even imagine what conversations happened at their offices this morning.


> JSON location payload instead of an XML payload. For whatever reason, that bypassed the usual consent check

To me that sounds like you stumbled upon an unauthenticated development/debug mode.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: