A Firebase database misconfiguration exposed sensitive GPS data and personal information – a nightmare for data protection and the safety of minors.

The supposed security that tracking apps promise parents and other users is massively undermined by a serious security flaw. An iOS tracking app widely available in the App Store, which has been downloaded over 320,000 times, revealed the GPS locations of its users – including children – in real time due to improper configuration of its password-less Firebase database. This serious data breach allowed cybercriminals to determine not only the current location of those affected, but also to access further sensitive data such as phone numbers, user details and hidden API keys. While the app was originally intended as a monitoring and security tool, the security breach now opens up a worrying scope for stalkers and further attacks, underlining the urgent need for an improved security strategy in app development.

The latest revelations about an iOS tracking app cast a dark light on the apparent security that many parents and users enjoy in their daily lives. The app, which was downloaded by over 320,000 people from the Apple App Store and was originally designed to monitor children or other close relatives, could now inadvertently serve as a tool for cybercriminals. A serious misconfiguration in the passwordless Firebase database allowed attackers to access real-time GPS locations, creating a GPS roadmap that could potentially open the door to stalkers and other criminals.

The app was originally designed to help parents keep an eye on their children’s whereabouts – a feature that gives many a sense of security. However, a serious security flaw discovered during Cybernews investigations has exposed sensitive data such as phone numbers, GPS coordinates, usernames and device details. The error was due to the improper configuration of the Firebase security rules, which allowed attackers unhindered access to almost 20,000 stored data points. Using an automated scraper, the hackers are able to continuously extract new data without the affected individuals knowing about it.

The consequences of this leak are alarming. Not only can cybercriminals determine the exact location of individuals in real time, but they can also read other sensitive information from the app code. In addition to GPS data, API keys, client IDs, database URLs, Google app IDs, project IDs, reverse client IDs, storage areas, GAD application identifiers and Facebook application IDs, among other things, were revealed. This information allows attackers to penetrate and manipulate the underlying services. A single API key can be used as a gateway to Google services, which not only can result in financial damage from fraudulent requests, but also enables the abuse of service quotas.

The secrets revealed also open the door to further cyber attacks. Hackers can use the stolen keys to infiltrate the app’s security infrastructure, import malicious files or manipulate data traffic. This is particularly worrying when the app is used to monitor minors – a circumstance that significantly increases the risk of children being specifically located and tracked. As Aras Nazarovas, a Cybernews researcher, points out, GPS data can be used to draw conclusions about daily activities, which can be misused for social engineering attacks. In this scenario, the dream of stalkers to determine the location of their targets unhindered literally becomes reality.

Cybernews‘s research, which analysed 156,000 iOS apps – about 8% of all apps available – also reveals a systemic problem in app development. Around 71% of the apps examined revealed at least one sensitive secret, with an average of 5.2 such data points found per app. A similar pattern was also found in popular dating apps, where attackers gained access to nearly 1.5 million user photos, including private and previously deleted photos.

Overall, the incident shows how dangerous it can be when sensitive data is not sufficiently protected. While parents and other users often appreciate tracking apps as a means of keeping their children safe, such security vulnerabilities can have the opposite effect and pose a massive threat to privacy and personal safety. The developers of the affected iOS app have so far remained silent despite multiple attempts at contact by Cybernews, which is further fueling the displeasure in the cybersecurity community. This case should be seen as a stark warning: security practices in app development must be continuously reviewed and improved to prevent trusted technologies from falling into the hands of criminals.