>TechCrunch spent a week trying to contact the developer, React Apps, to no avail. The company’s website had no contact information — nor did its bare-bones privacy policy. The website had a privacy-enabled hidden WHOIS record, masking the owner’s email address. We even bought the company’s business records from the Australian Securities & Investments Commission, only to learn the company owner’s name — Sandip Mann Singh — but no contact information. We sent several messages through the company’s feedback form, but received no acknowledgement.<p>And people trust this with the real time location data of their children so they can keep them "safe". Absolutely ridiculous
Not the first time someone left a MongoDB database exposed to the wild, and it won't be the last. It's an easy thing to do, especially since MongoDB is so popular for small single-server projects.<p>A few years ago, I discovered the open MongoDB database of an educational website called Kaizena, which we were using in my high school English class. When I reported the problem to them, they quickly fixed it (probably with some iptables hack). They even wrote a blog post [1] about fixing it, where they claimed they added "additional firewalls to the database". More like _one_ firewall.<p>As a side note, Kaizena also had another security bug where their API would return JSON payloads that had private information in it (e.g. the voice feedback for other students' work). I reported it years ago, but who knows if it's fixed.<p>[1] <a href="https://blog.kaizena.com/post/68627783859/a-note-on-security" rel="nofollow">https://blog.kaizena.com/post/68627783859/a-note-on-security</a>
As bad as it is, I can understand accidentally leaving a database accessible (they generally <i>need</i> to be accessible and setting just the right amount of accessible can be complex).<p>But this:<p>> ...plaintext passwords...<p>Why, oh why, store plaintext passwords?!?
> We contacted one app user at random who, albeit surprised and startled by the findings, confirmed to TechCrunch that the coordinates found under their record were accurate.<p>So they accessed the database as well as personal information of users? Is this not a crime whether or not the database was unprotected?
We should let google do it and give us the details, they do it better as they have already invested a lot in it, doing it and keeping it as secret or FB do it. Basically an Android app asking other person to accept to track their location and send it to other person when they want it. It should be that simple.
Shameless plug: I've built a family location sharing app that uses end-to-end encryption, so you don't have to worry about this sort of data leak (or any other). It's available for iOS and Android. (It's in beta, but quite functional).<p><a href="https://www.zood.xyz" rel="nofollow">https://www.zood.xyz</a>