Jesper Andersen, the developer behind anti-social networking app Avoidr, discovered a security flaw in Foursquare that allowed him to monitor 875,000 check-ins in San Francisco over the past three weeks, Wired reports.
Venues’ pages on Foursquare’s website display the users who have checked-in their most recently. Until Jesper alerted the company of the problem, these users were displayed regardless of a user’s privacy settings. So Jesper built a scraper that monitored these web pages for changes to these lists; whenever a new user appeared on one of these pages, his scraper could infer that the user had just checked-in at that location.
That’s a particularly glaring error, but Foursquare isn’t the only location-based social network with privacy problems. In fact, according to a study conducted by researchers at AT&T Labs and Worcester Polytechnic Institute, all of them share data with third parties.
The researchers looked at 20 social networks, including traditional networks with a mobile component — Facebook, MySpace, Twitter — and purely mobile networks like Foursquare, Gowalla, Loopt, and Brightkite. According to the report, 19 of the 20 (all but Loopt) shared information with third parties in a way that could allow them to connect online activity to actual identity. And even Loopt shared information that would let a third-party track a user across multiple networks.
These problems aren’t specific to mobile networks — the researchers have seen similar issues with traditional networks in other studies. And none of it is as severe as the leak Foursquare just plugged. But users sharing their precise, real-time locations are liable to have very high expectations about how securely that data is transmitted and stored.
So far, location services aren’t doing a good enough job.