A California Web site vulnerability that collects real-time data on mobile devices would have allowed anyone to locate the location of an AT & T, Verizon, Sprint, or T-Mobile mobile phone in the United States hundreds of feet away to determine. A security researcher said:
The participating company, LocationSmart of Carlsbad, works in a little-known business sector that provides data to companies, such as tracking employees and sending e-coupons to customers near relevant stores  The customers that LocationSmart identifies on its website are the American Automobile Association, FedEx and the insurance carrier Allstate. LocationSmart did not immediately respond to emails and phone messages that wanted to comment on the error and its business practices.
The LocationSmart error was first reported by independent journalist Brian Krebs. It is the latest case that highlights how easy it is for wireless service providers to share or sell customers' geolocation information without their consent.
The New York Times reported earlier this month that a company called Securus Technologies accused a former Sheriff of Missouri of providing location data on mobile customers using the data to prosecute individuals without a court order. On Wednesday, Motherboard reported that Securus' servers had been searched by a hacker who had stolen user data, most of which belonged to law enforcement agencies.
Securus may have received its location data indirectly from LocationSmart. Securus officials told the office of Senator Ron Wyden, an Oregon Democrat, that they had received the data from a company called 3Cinterative, Wyden spokesman Keith Chu said. LocationSmart lists 3Cinteractive among its customers on its website.
Wyden said the LocationSmart and Securus cases underscore the "boundless dangers" that Americans are facing due to a lack of federal regulations on geolocation data.
"A hacker could have used this site to know when you were in your house so they would know when to rob it, a robber could track down your child's cell phone to know when they were alone," he said in a statement.
LocationSmart took the flawed website offline on Thursday, one day after Carnegie Mellon University's computer science student, Robert Xiao, discovered and notified the software error. The company, said Xiao of the Associated Press.
The doctoral researcher said the bug "allowed anyone anywhere in the world to look up the location of a US cell phone," Xiao said. "I could enter any 1
The site has been designed so that visitors can test the service of LocationSmart by entering their mobile number. Then the service called his phone or sent a text message to get his consent. He then indicated the location of the phone – generally at several hundred meters.
But Xiao found a mistake that allowed him to get around approval in just 15 minutes. "There would not be much time for anyone with enough technical knowledge to find that," he said. He wrote a script to take advantage of it.
"It was just surreal when I discovered that," he said. Xiao's research revealed that LocationSmart had been offering the service since at least January 2017.
LocationSmart describes itself as the "world's largest location-as-service company". It says it receives location information from all major US and Canadian mobile operators 95% coverage
AT & T and Sprint representatives said they do not allow sharing of location information without individual consent or a lawful order such as a warrant. Verizon spokesman Rich Young said the company has taken steps to ensure that Securus can no longer request information about the company's mobile subscribers and that it reviews its relationship with LocationSmart.
T-Mobile did not immediately respond to a request.
Gigi Sohn, a former Federal Communications Commission top adviser to the Obama administration, said users' location data has been under serious threat since last year. At that time, Congress abolished FCC privacy rules that prevented mobile operators from sharing or selling them without the customer's express consent.
"Consumers should only be able to choose a company like LocationSmart should have access to these data," she said.
AP Technology Writer Matt O'Brien contributed to this report.