Another week, another high-profile data leak.
This one, though, was more worrying than most.
TechCrunch have found that React Apps’ Family Locator, an app that helps families keep in touch by sharing their location in real time, was leaking this data to anyone who cared to look.
It’s lucky, in fact, that Sanyam Jain found, a security researcher and a member of the GDI Foundation, found the database first, and then reported his findings to TechCrunch. There are plenty of people out there who would’ve used this information for more nefarious purposes.
Whilst it doesn’t seem like this information was accessed by hackers, the leak further highlights the weak security practices of many popular app providers, and with family tracking apps more specifically.
Protecting yourself against leaks like this is important, and not difficult. The leak is an important reminder to us all of the importance of using only trusted apps. It is also a stark warning of the dangers of sharing our information with anyone.
And whilst there is not much you can do about your information being leaked by companies that don’t take security seriously enough, it is pretty easy to improve your own cyber defenses.
The Leaky App
The leak concerns Family Locator, an app built by Australia-based React Apps.
On the face of it, the app seems to provide some pretty useful features. It lets family members see each others’ locations in real time. It also allows users to set ‘geo-fences’, which the app uses to alert users when their family members leave work, arrive at school, etc.
The problem is that all of this information was being stored in the most insecure way imaginable. Sanyam Jain found a MongoDB database that was completely unsecured, and contained a wealth of information on every user of the app.
The database included information on some 238,000 users. Anyone who accessed it could see users’ email addresses, names, profile pictures, real-time locations, and even passwords.
None of this information was encrypted. None.
The database, it seems, was publicly accessible in this form for weeks, potentially allowing hackers plenty of time to access, use, and copy the information it contained.
React Apps’ response didn’t help to instill confidence, either.
TechCrunch tried to contact the company, only to find that they had hidden most of their contact information. After buying the company’s registration details from the Australian Government, TC then emailed them repeatedly. When its messages went unanswered, the online publisher asked Microsoft, through which the developer hosted the database using Azure, to contact the individual.
Hours later, the database went offline.
And that is where the story rests for now.
On the one hand, it’s great that this information is no longer accessible to anyone who cares to look. On the other, the fact that it was left in the open, and the company’s seemingly total lack of contrition about such a massive mistake, has not done much to re-assure its users.
The (Potential) Problem With Family Tracking Apps
If you’re tired of hearing about leaks like these, you’re not alone. Every week seems to bring new information on companies that have accidentally (and sometimes willfully) leaked user data.
It’s important to point out that these leaks are not, in general, caused by security vulnerabilities at the technological level. Rather, the majority of data leaks are caused by incompetence.
Back in March this year, to take an example, Diachenko reported that they had found a database that had not been configured correctly. This database contained more than 250,000 legal documents, all completely unencrypted. Only days before that, the same researcher found a MongoDB database which contained more than 800 million email records, all – again – in plaintext.
That same month, Victor Gevers of the GDI Foundation found a large number of MongoDB instances that were similarly unprotected. 18 such databases, in fact. All of them contained information on user activity on several well-known social media sites in China.
I don’t mean to blame MongoDB. There is nothing wrong with that database in itself.
Rather, these leaks were caused by admins not setting up the databases properly. And in most of these cases, this happened at a level far removed from the user: by admins who had bought (or come across) user data from other sources.
This, in turn, highlights a (potential) problem with Family Tracking Apps. While such apps are undoubtedly useful, they often rely on an app developer taking the time to check that their subcontractors are as careful as they are.
And so, while the data shared with React Apps is safe for now, the incident illustrates a problem with tracking apps as a whole: it’s difficult to verify that developers are securing your location info every step of the way. If they don’t and there’s a breach, it could lead to very real threats that could include physical danger.
How To Protect Yourself From Data Leaks
So, what can you do about leaks like this?
Looked at one way, there is very little you can do about companies leaking your data through incompetence.
You can, however, avoid companies that leak your data on purpose. And make no mistake: some companies make a lot of money out of selling your data, even though they keep pretty quiet about it.
This practice is more widespread than you might think. US cell carriers, despite many people complaining about it, continue to sell real-time location data to third-party companies. And the hack I mentioned before, which contained user activity on several large social media sites in China, actually contained data that had been collected by the Chinese government, as Bleeping Computer reported.
Our advice, therefore, when it comes to avoiding becoming the victim of a data leak, is simple enough: don’t let anyone have your data in the first place.
That might seem like difficult advice to follow, given how many services we all rely on today. But there are actually some pretty easy ways you can avoid sharing your data with anyone you don’t specifically want to.
The best way to avoid data hacks is to limit the amount of information that companies hold about you. If they don’t know your details, they can’t leak them, whether accidentally or not.
This point raises a topic that is often misunderstood. Most of the people who use a VPN to stay anonymous online are not doing that because they are worried that the government is spying on them. Rather, they are just worried that companies and hackers will otherwise be able to intercept their private data.
Put another way, internet privacy is not just about making sure that companies, the government, and hackers are not spying on you. It’s also about limiting the number of people who have access to your data. That way, they can’t leak it.
Here at PureVPN, we’ve been helping people to keep their data private for many years, and are dedicated to helping you stay safe online. We’ve also put together loads of resources to help you learn more about these issues: our what is internet privacy? The guide is a great place to start.