SQLi in GPS Location Tracker App

Report ID



  • Vendor: SeeBetaApp
  • Product: Track My Family (Package-name: com.betaapp.myfamilylocator)
  • Affected Version: 2.6
  • Severity: high
  • Short summary: SQLi in Login form breaks authentication


The backend provides a php file, which returns information about people belonging to your so called „family“.
With a GET parameter, the user sends its identifier and the backend selects the data accessible with this identifier.
As there is no other authentication required, an adversary can select an arbitrary phone number and gets data, which should only be accessible for the person with this identifier. Even worse, the GET parameters is prone to a SQL injection and therefore an adversary can access all data.

http://******/*****/fetch_family.php?mobile=' or '' ='


Suggested Mitigation

There needs to be a proper input sanitization. More details can be found at


  • 2017-08-09 Vulnerability Discovered
  • 2017-08-10 Contaced developer
  • 2018-08-11 Published