Should I contact the manufacturer if their product allows access to other users' location information?

Yes, you should notify the problem to the company - with caution.

Update: a shorter, very complete answer was supplied by @crovers. But if you have patience...

...the problem here is not simply the possibility of tracking J. Random Stranger, but rather that:

  • once your ID has been given to someone, apparently you cannot take it back and it does not expire. That person can now follow you everywhere (think "overly attached girlfriend"). Also, that ID may leak. Emails get forwarded by mistake and sometimes the little, easily overseen ... glyph in mail programs covers lots of sensitive information.

  • you don't even need to give it to me. If the IDs are sequential [as commented by @crovers], I can tabulate all of them in very little time, check their position, and easily single out those five or six that are near enough to the position I know you might be in. Tomorrow, other five or six will be near enough a different place you're now in; of those five, maybe two were in the original five, so you must be one of those two. In a comparatively little time I've narrowed my candidates to one: I now have your ID and can stalk you, and you are none the wiser.

  • I may even not know you. The ID can be used to prank total strangers. I just googled a bit and found a couple thousand Facebook users that boasted of their new (NAME OF GPS-RELATED GADGET). I used a very well known brand, so your gadget will have maybe only one hundred people that I can discover easily. A full half of those, I'm confident, will routinely post pictures about where they are (does Facebook purge EXIF GPS information?). In a very little while, one of them that caught my fancy might receive a message stating "How's the weather in Old Nowhereville?" even if he (or she) never said anything to anyone about where he (or she) was, nor even posted anything anywhere. Such pranks - and knowing that some total stranger is apparently interested in you, and always seems to know where you are - can totally ruin your day. And they can totally ruin the company's day, if some pranked people get convinced that their GPS can somehow be "hacked remotely", even if, as in this case, that's not what's happening at all. Yes, I have a sick mind - but I'm not the only one, so you might want to point the company's people to this page - and, to restate another very good point made by @crovers and Arminius, do so anonymously. The potential damage to them is huge, and you're doing them a big favor by pointing this to them. But some companies might have a (knee-)jerk reaction and try to bully you into silence believing this solves something (or even solves the matter entirely); Nobel Prize Richard P. Feynman's "vulnerability disclosure" story makes for a hilarious reading ("That was his solution: I was the danger!").

You're actually helping them.

  • trust me, lots and lots of people would do exactly what you did when seeing "id=XXXXX" in a URL. I would have done it. Depending on the gadget's popularity, I'd wager many others will already have done so. So it's not like you're unleashing a zombie apocalypse over someone which otherwise would have remained safe - you'll probaby simply be the first to have had the conscience of telling them they are not safe at all. Because that's significantly rarer than having the curiosity of changing a ID.

It totally hadn't to be like this.

It is trivially simple, from the company's point of view, to fix this by allowing each user to regenerate a different secret ID on demand any time they choose. And even set an expiration date. And they still could do it now.

A very quick fix could be to proxy their website through a simple filter, connected with a database.

Your new URL is, say, http://www.example.com/mylocation/?id=22b255b332474ae3e7f008cc50ebe3e0&...

or one could translate that to "true.pony.pile.main.jazz.call.mine.soft.pink.rake.jane" to get something more easily remembered or dictated over a phone.

the first four words are somewhat connected to "correct horse battery staple".

The proxy checks in a database and finds that 22b255b332474ae3e7f008cc50ebe3e0 is a valid ID, and is associated to "real" (or "old") id 12345, so it transforms the URL by simply replacing the ID with 12345, sends the request to the true, hidden website, gets the page back, rewrites any 12345's with the original 22b2... stuff, and hey presto!, the external user can see where you are, same page as before, but he has no way of knowing that the true ID is 12345 (and, even if he knew, he'd have no way of getting it through to the system, which now only accepts hashes).

But now, user 12345 can have as many IDs active as the company wants (or sells!), and give one to his mom, one to his SO, and so on. One ID leaks, or he breaks up with his friend -- he invalidates that one ID. It also becomes possible to know how many accesses there have been to each ID, so the snooping can be two-way. Possibly for premium users only :-D. For some IDs, the website may even release randomized information, or low-precision GPS coordinates.

And if you wanted to guess at random a valid ID - well, there are some 2128 of those. If each customer had one hundred disposable IDs (say 27), and the company had one billion customers (say 230), there would still be approximately one possibility over 290 to get a valid ID by trying at random. If that's too little (or if my math happened to be a bit askew), there are larger hashes too.

And the old ID no longer works since you can't reach the original server without the ID you supply getting hashed.

Given the reasonable implementation cost (a couple day's worth for one developer and one QA engineer, and I'm padding heavily), I'm a bit baffled that this wasn't designed in from the start.


Yes. They ought to be using a long, unguessable string instead of a predictable, short one.

I would consider this a security flaw that is relatively simple for them to fix.

However, I would caution you - some companies do not handle situations like this very well. Some argue (in my view incorrectly) that changing that id constitutes hacking and they may threaten to sue or have you charged. That is dumb, but I'd advise you to approach them anonymously or via an intermediary.

Check to see if they have a bounty program - (google company name and bug bounty). If they do not, you may want to consider using an intermediary - Zero Day Initiative is one.


To add to the other answers - be aware of the risks of reporting the problem yourself:

If you're inexperienced with reporting security issues, you might come across to them as dodgy and potentially malicious. A company that doesn't have experience with handling security issues might forward your report to the company lawyer rather than the IT department. Obviously, you simply want to help, but to them you're mainly causing trouble. Chances are, they don't want the issue to become public (which could cause great harm to their business reputation) and hence they might threaten you with legal consequences. In the worst case they will contact law enforcement without further notice.

Being curious, I truncated the lat/lon part of the URL, and changed the id by one character.

So you didn't find that purely by accident. From the company's perspective you gained access to other customers' data by manipulating the URL - it won't matter to them how easy it was and that you did it "just out of curiosity". They might still see you as a threat and react unprofessionally.

You should be aware of this possible interpretation and decide carefully if it's worth the risk. If you deal with security bugs without a contract or a public policy that encourages bug hunting, you're in a legal grey area.