The Family Locator family app, which tracks family members by geolocation, has left the personal and geographic data of more than 238,000 of its users in plain view by storing them on a non-password protected server.
Used by parents to monitor their children, Family Locator is an Australian app that allows you to track a loved one or to be alerted if they enter or leave a designated place, such as a school.
Data poorly protected
Sanyam Jain, a cybersecurity researcher, discovered that the Family Locator server was not protected by any password and that the data contained on this server was not encrypted.
The data in question includes, but is not limited to, users’ names, e-mail addresses, profile pictures and passwords, as well as their precise geographic location and the location of identified places, such as the workplace or school.
The safety of children potentially at risk
An ill-intentioned person would have been able to report to a school and use the personal information of the parents to convince the staff to let her pick up a child to remove it.
The TechCrunch Technology Information Site confirmed Sanyam Jain’s discovery and, for a week, repeatedly tried to contact React Apps, the developer of the app. In the absence of a response, TechCrunch contacted Microsoft Azure on Friday, which hosted the Family Locator database. The database is now offline.