iSharing App Security Lapse Put 35 Million Users at Risk

A critical security vulnerability was recently uncovered in iSharing, a popular location tracking and parental control app, affecting its 35 million iOS and Android users. The discovery was made by security researcher Eric Daigle, who documented a series of exploitable flaws in the app's handling of user data and group management, leading to potential unauthorized access to personal information and real-time location data.

Background and discovery

Eric Daigle, a specialist in free software and geomatics, initiated his investigation by installing iSharing on a test device and monitoring the network traffic using HTTP Toolkit. His research began with basic account creation, which lacked any form of CAPTCHA or email verification, allowing the creation of multiple fake accounts. This preliminary finding was just the tip of the iceberg.

Vulnerability details

1. Profile Picture Leak: Daigle discovered an Insecure Direct Object Reference (IDOR) vulnerability while attempting to fetch a profile picture from an AWS endpoint without authentication. Although initially receiving a 403 Forbidden status, he found that the profile pictures, once uploaded, were publicly accessible without any rate limiting.
2. Group Tracking Exploit: The core functionality of iSharing involves creating groups to share location data among users. Daigle demonstrated that the group creation process could be manipulated to allow an attacker to join a group and access the location of other users without their consent. This was achieved by bypassing the need for an invitation code, exploiting the sequential nature of user IDs, and using a hardcoded authorization key found within the app’s codebase.
3. Authorization Flaws: The vulnerabilities were exacerbated by the lack of proper authentication checks. Daigle was able to create groups and gain access to them using arbitrary user IDs by manipulating the Authorization header used in API requests.

Remediation

After discovering the flaw, Daigle attempted to contact the iSharing developers but received no response. He then reached out to Zack Whittaker of TechCrunch, who helped confirm the vulnerability and facilitated contact with the developers. The issue was eventually addressed, and a fix was deployed by April 19, 2024.

This incident serves as a stark reminder of the importance of robust authentication mechanisms and the dangers of hardcoded credentials in mobile applications. Users of iSharing and similar apps are advised to ensure they update their apps regularly and remain vigilant about the permissions and data access granted to applications.