Location Data of More Than 100 Million Users Got Compromised


Shazam, a popular music app was a doorway to the user’s precise location. Threat actors took advantage of the Shazam app susceptibilities to discover the victim’s specific location. Ashley King, a British IT security researcher uncovered the vulnerabilities in the Shazam app which could expose the locations of android and iOS users.

The vulnerability in the Shazam app was termed CVE-2019-8791 and CVE-2019-8792, more than 100 million users were affected at the time. Threat actors used a single malicious URL to acquire access to the victim’s precise location. This URL led the victim to the Shazam app, Shazam then opens a WebView and executes the malware which results in sending the victim’s location data back to the threat actor.

Ashley King reported the vulnerabilities in December 2018 three months after apple acquired the Shazam app. The flaw in Shazam app was finally patched on March 26, 2019, both on iOS and android but the specifics of it were only revealed last week. 

Ashley explained via a blog post that “Shazam uses deep links throughout the app as part of its navigation. I found that a particular exported deep link (which was responsible for loading a website inside a web view) was not validating its parameter, allowing external resources to be in control. This web view included a few java scripts interfaces that allowed content to communicate with the Android & iOS API’s making it possible to pull back device-specific information and the last known precise location of the user”.

Apple and Google Play Security Rewards Program did not deem ‘location data’ as big enough of a security threat even though the vulnerability was patched – most firms do not see user’s location data as a privacy issue, Ashley concluded.