paint-brush
Life360 Potentially Leaves Its Users’ Sensitive Data at Riskby@TheMarkup
24,315 reads
24,315 reads

Life360 Potentially Leaves Its Users’ Sensitive Data at Risk

by The MarkupSeptember 10th, 2022
Read on Terminal Reader
Read this story w/o Javascript

Too Long; Didn't Read

Life360 is a location tracking app for families to keep tabs on their loved ones’ whereabouts. The Markup tested the app against a series of standards published by the Open Web Application Security Project (OWASP) The app failed to pass six of the 19 tests we were able to conduct for important security features such as limiting failed log-in attempts and verifying that passwords are checked against a set of breached credentials. Life360 says it has a "highly experienced security team and conduct both internal and external audits"
featured image - Life360 Potentially Leaves Its Users’ Sensitive Data at Risk
The Markup HackerNoon profile picture

The family safety app Life360 doesn’t have some standard guardrails to prevent a hacker from taking over an account and accessing sensitive information, The Markup has found.


The service, used by more than 35 million people in 140 countries, is a location tracking app for families to keep tabs on their loved ones’ whereabouts. The app shares real-time location among group members as well as marked locations such as homes and workplaces.


Through a series of tests, we found that Life360 doesn’t provide several basic security measures to thwart potential hackers, including limiting failed log-in attempts and providing two-factor authentication for accounts.


The Markup tested the Life360 app against a series of standards published by the Open Web Application Security Project (OWASP), a nonprofit foundation that promotes app security standards.


The organization’s Application Security Verification Standard (ASVS) is a voluntary industry guideline and also closely follows the National Institute of Standards and Technology’s (NIST) Digital Identity Guidelines, which are federal standards for user authentication.


We found that Life360’s app failed to pass six of the 19 tests we were able to conduct for important security features such as limiting failed log-in attempts and verifying that passwords are checked against a set of breached credentials.


Life360 did pass 11 other of the ASVS tests—for example we verified that users are able to change their password and can use passwords of more than 64 characters. Life360 partially passed two additional tests that check if a user is notified about account changes.


We found the app notified users about log-ins from multiple devices and password reset requests but not when the account’s email address, phone number, or password were changed. You can see the full results of our testing here.


“We strongly disagree with the implied accusations in your series of questions. We have a highly experienced security team and conduct both internal and external audits of our platform. In addition we host a bug bounty program and run ongoing penetration testing,” said Chris Robertson, head of security and cloud operations for Life360, in an emailed statement to The Markup.


For one of the tests, we set up a script that attempted to log in to one of our accounts on Life360’s website using incorrect passwords more than 500 times in just over 16 minutes (after checking an initial checkbox labeled “I am human”).


It allowed us to log in when we entered the correct password on the 501st attempt. We also did this test manually through the app with more than 100 failed attempts with the wrong password followed by a successful attempt with the correct password.


In both cases, Life360 never blocked future log-in attempts and immediately allowed access once we put in the correct password.


The ASVS standard calls for allowing no more than 100 failed log-in attempts per hour on a single account.


The platform’s lax password policies, apparent lack of log-in attempt limits, and the absence of two-factor authentication is notable considering the sensitive nature of the precise, real-time location data it uses and the fact that children are among its users.


The Markup previously reported that Life360’s vast collection of location data made it one of the largest suppliers of raw data for the location data industry. In January, the company announced that it would stop selling precise location data (except to Allstate’s Arity) but would still supply aggregated location data to the company Placer AI.


“An app that’s dealing with child information that’s not at least offering multifactor [authentication], that’s straight-up negligence,” Jim Manico, the ASVS’s project manager said.


Life360 users have complained about unauthorized log-ins in multiple posts on social media and in reviews for the Life360 app in the Google Play and iOS app stores.  Several users claimed that a hacker had logged in to their accounts and was able to view either their real-time locations, their marked places like their homes, or their loved ones’ real-time location.


Life360 did respond to each of the app store reviews that we found, directing users to their support team.


The reviewers did not respond to multiple requests for comment. “Reports of hacked accounts are extremely rare and are usually a result of a family member inviting someone, such as a friend, to their shared family account,” Life360’s Robertson said.


Former Life360 employees told The Markup that Life360 executives were well aware of the security issues but chose growth and new user features over dealing with a backlog of security improvements. The former employees spoke to The Markup on a condition of anonymity because they are still employed in the data industry.


Life360 has recently started positioning itself as a way to ensure the digital safety of its users, including identity theft protection, credit monitoring, and data breach notifications. In its marketing language, Life360 promises users, “We safeguard your data so you can live more and worry less,” noting that up to “1 million kids each year” are victims of hacks and identity theft.


The company also doesn’t follow the security advice it shares in its marketing material. In a posted to Life360’s website, it recommends users set passwords at a minimum of 12 characters. Life360 only requires that passwords contain six characters.


Experts warn that apps that allow people to track each other’s locations, in particular, can be misused.


Abusive partners will sometimes use access to shared accounts to follow and harass survivors, and tracking apps are a big part of that concern, Thomas Ristenpart, an associate professor at Cornell Tech and a co-founder of the Clinic to End Tech Abuse, said.


While he hasn’t seen examples of Life360 being abused by stalkers, Ristenpart said that any apps that provide real-time location data are causes for concern. In his work, he’s aware of location monitoring tools being used by abusive partners who track and stalk survivors, he said.


“We do look for apps like Life360 installed. If we find them, then we do have a discussion with the clients about what they want to do,” Ristenpart said.


Improving account security is often the top recommendation that Ristenpart makes to tech companies, he said.


More companies are requiring two-factor authentication as a security feature to prevent account takeovers. In February, Google reported a 50 percent drop in account takeovers after it enabled two-factor authentication by default. Ring, the Amazon-owned doorbell company, enabled mandatory two-factor authentication after hackers hijacked cameras to harass owners.


Experts said preventing users from creating obvious passwords like “123456” and “password”—which Life360 does not do—is also important. The app also failed to flag a famously breached password, “password1,” and email login “[email protected],” which comedian Andy Samberg jokingly shared as his HBO log-in at the 2015 Emmy awards.


Both credentials have been flagged by Google Chrome’s Password Checkup as well as the Have I Been Pwned database as leaked.


“It doesn’t sound like they’ve done even the basics,” Jim Fenton, a consultant for NIST and a co-author of the agency’s authentication guidelines, said. “If you can use the password ‘password,’ that’s not great.”


One of the former Life360 employees told The Markup that there had been an internal debate about email validation for accounts. Verifying an email address helps prevent fraud and bots from spamming a service, and it protects users from having somebody sign up in their name.


The former Life360 employee said the company decided against this measure to make it easier for people to sign up.


We changed our Life360 accounts’ emails multiple times without receiving any validation emails to make sure they were real email addresses. We also never received validation emails when signing up.

What We Found

Why it Matters

A lack of multifactor authentication

Multifactor authentication prevents an attacker from being able to log in to your accounts by having just your password alone. It usually requires a second authentication method, which can be a temporary code from a text message or an authentication app, or a physical token like a USB security key.

No log-in attempt limits

Attempt limits prevent attackers from making an infinite amount of guesses until they correctly guess your password. Hackers will often use bots to do this and can eventually crack most passwords without attempt limits. We were able to try the wrong password 500 times with no warning (after checking an initial checkbox labeled “I am human”).

Lack of password change notifications

Password change notifications warn users when their credentials are altered without their consent. Life360 logs out all other sessions once a password is changed, but the original owner is never notified when that happens. If the attacker changes the password before the real user does, the real user would effectively be locked out of their own accounts.

Weak password strength requirements

The longer your password is, the harder it is for a bot to crack or a person to guess. NIST and OWASP both recommend passwords with at least eight characters. The requirement for Life360 was at least six characters.

No warning when using common passwords or known breached credentials

Many data breaches are the result of exploiting commonly used passwords from past data breaches. We were able to set our passwords to “password” and “123456,” two of the most common passwords found in breaches.

No ability to directly log out other sessions or review activity

The only way to log out other log-in sessions is through resetting your account password. It is possible to have two devices logged in with the same account simultaneously, which could reveal a person’s exact location and recent location history. An account activity log would let users look for suspicious login activity.


Credits: Alfred Ng and Jon Keegan


Photo by Towfiqu barbhuiya on Unsplash


Also published here