Two security researchers Vangelis Stykas and Michael Gruhn published that they found critical vulnerabilities dubbed as Trackmageddon in GPS location services that allows a third party or hacker to take full access of sensitive data from tracking devices which is managed by vulnerable GPS services.

Trackmageddon affects those GPS services which produce geolocation data of users from GPS-enabled devices and trackers to find out their locations.


The vulnerabilities include easy to guess passwords, insecure API endpoints, expose folders and insecure direct object reference that means it’s easy for attacker to exploit these vulnerabilities and take access of users personal identifiable information which is collected through location tracking devices including geo coordinates, their phone numbers, phone model, IMEI numbers and custom assigned names.

There are some websites from which attackers or any unauthorized person can access photos and videos which is uploaded by tracking devices.

According to the researchers, the most of vulnerable GPS tracking devices are running on ThinkRace tracking location software. But the company said that four of the affected domains have now fixed and the remaining domains are still infected by this vulnerability.

Researchers wrote in their post that “We tried to give the vendors enough time to fix (also respond for that matter) while we weighted this against the current immediate risk of the users.”

“We understand that only a vendor fix can remove user’s location history (and any other stored user data for that matter) from the still affected services but we (and I personally because my data is also on one of those sites) judge the risk of these vulnerabilities being exploited against live location tracking devices much higher than the risk of historic data being exposed.”

You can find the vulnerable domains from the following link:

Vulnerable Domains

Researchers recommend their users to remove their data from vulnerable services, changing their passwords and always keep strong passwords. Users should stop using these GPS services until these vulnerabilities get patched.


Please enter your comment!
Please enter your name here