Unsecured MongoDB database exposes real-time locations of families

Database graphic
(Image credit: Shutterstock)

The popular family tracking app Family Locator has for weeks exposed the real-time unencrypted location data of over 238,000 of its users.

The app which closely resembles the functionality of Apple's 'Find My Friends' app, allows users to track family members and set up geofencing features which notify users when a family member, leaves work or arrives at school, for example.

Not for the first time this month, the data was left exposed thanks to an unprotected MongoDB database which allowed anyone who knew the exact details of the server to access the information, according to TechCrunch.

The exposed database was found by Sanyam Jain, a security researcher and a member of the GDI Foundation, a non-profit which detects and analyses criminal opportunities and shares them publicly.

None of the data found on the database was encrypted: name, email address, profile photo and plaintext passwords were easily accessible and geofenced locations were visible along with the assigned name. It would be effortless to not only know the user's location but also where they lived, worked and where their children were schooled.

"Unfortunately, this is yet another case where unprofessional handling of technology has led to data leakage," said Boris Cipot, senior security engineer at Synopsys.

"A serious misconduct such as this should not happen but, as we often see, they do and usually they happen if and when security procedures are not implemented correctly or disregarded," he said. "Security should not be taken lightly especially when you are working with data that someone entrusted you with."

The developer of Family Locator React Apps has been unresponsive to approaches from the media. TechCrunch tried to contact the company for over a week but its website had no contact information and the record from the Australian Securities and Investments Commission returned only a name of the company's owner.

The database was later pulled offline by Microsoft as it was hosted on its Azure cloud but it's unknown for how long the database was left exposed.

"It's scary that an application designed to keep families safe and allow parents to monitor the whereabouts of their children is actually leaving data unprotected and accessible by anyone," said Winston Bond, senior technical director EMEA at Arxan Technologies.

"We stress the importance of application security every day but unfortunately, unless everything the app is connected to is also secure, there is still a danger posed to consumers. It is vital that when an application is being developed, the building process and the security process should go together -- neither security nor data protection should be an afterthought, or even worse, ignored altogether."

MongoDB earlier this month was at fault for another data breach; researcher Bob Diachenko discovered the unprotected database containing 809 million email records, many of which contained personally identifiable information.

Matters got worse when security company DynaRisk confirmed that the number of leaked records was actually three times higher than first thought, the real number stood at over two billion.

Most records contained surnames, email addresses, gender information, postcode and IP addresses for each entry. The records were cross-checked with the popular HaveIBeenPwned website which showed the data had not been previously found in a data breach, meaning this discovery was new and the affected people had not been the subject of a data breach previously.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.