Skout server leaked nearly-exact location information on users

Fri, May 31, 2013

- ∞ -

http://corte.si/posts/security/skout/index.html

Another scary privacy find from Aldo Cortesi:

The Skout mobile application talks to Skout’s servers through a simple API.

What’s returned is a blob of XML containing the user’s complete profile data. In fact, the profile data is too complete, including some bits of data information that is never actually used by the app. For example, we can see the user’s exact date of birth… but only the user’s age in years is actually displayed. Most serious, however, is the high-precision location information that is returned in the homeLocation and location tags.

The three decimal places of precision in the co-ordinates is enough to locate a user to within about 110 meters north-south, and substantially less than that east-west depending on the distance from the equator.

Fortunately, the vendor patched the API within a few hours of notification.

I really should get into the habit of checking all my apps from time to time for this kind of leakage.