LocationSmart took the flawed webpage offline Thursday, a day after Carnegie Mellon University computer science student Robert Xiao discovered the software bug and notified the company, Xiao told The Associated Press.
The doctoral researcher said the bug “allowed anyone, anywhere in the world, to look up the location of a U.S. cellphone,” said Xiao. “I could punch in any 10-digit phone number,” he added, “and I could get anyone’s location.”
The web page was designed to let visitors test out LocationSmart’s service by entering their cellphone number. The service would then ring their phone or send a text message to obtain consent, after which it would display the phone’s location — generally to within several hundred yards.
But Xiao found a flaw that allowed him to bypass consent in just 15 minutes. “It would not take anyone with sufficient technical knowledge much time to find this,” he said. He wrote a script to exploit it.