Could location based Apps put your physical security at risk?

When Cyber Threats Turn Physical

What if your next carpooling ride-share wasn’t just a random passenger? What if that person already knew exactly where you’d be and at what time?

Today, people all over the world are using ride-sharing services like Uber and Lyft that make commuting a breeze, they use Apps to track their performance when they go running or a bike ride. Whether you use it as a means of transportation to the office each morning or for a night on the town, most of us opt for one of these apps over hailing a taxi.

But would we continue to trust these apps with this information if we knew that something as sensitive as our physical location could be compromised?

For some users, this is already the case.

4iQ’s monitors thousands of dark web sites, hacktivism forums, and black markets daily for stolen credentials and leaked personal information. We recently discovered accidental exposures from ride-share services in Mexico and India, leaving sensitive user data exposed in the deep and dark web, which is now most likely in the hands of cybercriminals. The company in India had customers download their contacts from their phones, adding more than 852,000 contacts with information exposed.

The problem that potentially compromised riders lies within the MongoDB configuration and exposed JavaScript Object Notation (JSON) data. The sites exposed over 126,000 customers with sensitive information in real-time, including their first and last name, trip itineraries, longitude and latitude of location, favorite locations, password in clear text, phone number, phone verification code, favorite places and more.

Sample of exposed, redacted user trip request
Sample of exposed, redacted user account information

We have reached out to the affected companies letting them know they have a vulnerability.

This type of exposure represents a real shift from a cyberattack that presents an identity threat to a physical one. The idea that someone knows when you’re home or away is bad enough. But what if someone could use the information to share your next ride? The risks of abduction, kidnapping and ransom are frightening. In fact, the U.S. Department of State recently issued a warning to U.S. citizens about the risk of traveling to certain parts of Mexico due to the dangerous activities of criminal organizations in those areas.

Hackers who have access to this information can use it to track a user’s location in real-time, and look at trends in daily destinations to predict future trips. Having one’s travel habits in the hands of cybercriminals is extremely dangerous. And as more and more individuals start to use these applications, breaches like this represent a security risk we need to take extreme efforts to prevent.

Learn more about how 4iQ’s outside-in approach provides real-time alerts — — if and when your data is compromised.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.