SIK-2017-013


Title:

My Family GPS tracker data transmitted without encryption

Report ID

SIK-2017-013

Summary:

  • Vendor: net.prtm.myfamily
  • Product: My Family
  • Affected Version: 5.27, Probably all
  • Severity: Private data public
  • Short summary: All GPS location data is transmitted over an unencrypted http connection.

Details:

The communication between the app and the backend is carried out over an unencrypted http connection. This allows even a passive eavesdropper to obtain the GPS location of all family members of the user’s family and the URLs to their photos.

Example data transmitted in plain text:

{"code":204,"response":[{"pid":"919081","name":"","avatar":"0","avatar_img":"","is_history":"1","is_child":"0","battary":"16","position":{"lat":"54.737669","lng":"20.497225","accuracy":"22","time":"1493228407321","provider":"fused","satellites":"0"},"is_location":0}]}

{"code":204,"response":[{"pid":"918111","name":"\u0421","avatar":"0","avatar_img":"","is_history":"1","is_child":"0","battary":"9","position":{"lat":"55.669682","lng":"37.536886","accuracy":"23","time":"1493221696994","provider":"fused","satellites":"0"},"is_location":0},{"pid":"918112","name":"","avatar":"0","avatar_img":"","is_history":"1","is_child":"0","battary":"15","position":{"lat":"55.403762","lng":"37.490915","accuracy":"116","time":"1493215759975","provider":"fused","satellites":"0"},"is_location":0}]}

{"code":204,"response":[{"pid":"918161","name":"LENOVO A3300","avatar":"43","avatar_img":"","is_history":"1","is_child":"0","battary":"10","position":{"lat":"49.660140","lng":"32.023471","accuracy":"23","time":"1493215276616","provider":"fused","satellites":"0"},"is_location":0},{"pid":"918331","name":"Nomi i3050","avatar":"42","avatar_img":"","is_history":"1","is_child":"1","battary":"11","position":{"lat":"49.601861","lng":"31.925968","accuracy":"3586","time":"1493216787322","provider":"fused","satellites":"0"},"is_location":0}]}

example response with profile picture:

{"code":204,"response":[{"pid":"358721","name":"\u0412\u043e\u0441\u044f","avatar":"37","avatar_img":"http:\/\/bestmyfamily.s3-website-eu-west-1.amazonaws.com\/photos\/3c\/3c73f50d4211f6e18be3d7567862950e-7.jpg","is_history":"1","is_child":"0","battary":"90","position":{"lat":"61.103364","lng":"72.582623","accuracy":"22","time":"1493222885412","provider":"network","satellites":"0"},"is_location":0},{"pid":"869397","name":"\u0412\u0435\u0440\u0430","avatar":"0","avatar_img":"http:\/\/bestmyfamily.s3-website-eu-west-1.amazonaws.com\/photos\/d9\/d9a000d78092aff0f4c2b2d041380529-9.jpg","is_history":"1","is_child":"0","battary":"81","position":{"lat":"61.103605","lng":"72.582713","accuracy":"1","time":"1493230492000","provider":"fused","satellites":"0"},"is_location":0}]}

Workaround

None available.

Suggested Mitigation

Sensitive personal data such as GPS locations or photos should always be transferred over a secure connection. Apps should use TLS (tramnsport over https) for exchanging such data with their backend.

Timeline

  • 2017-04-26: found vulnerability
  • 2017-05-18: Reported
  • 2018-08-11: Published