A security researcher appears to have tracked the physical location of a former top Biden administration official through his apparent usage of AllTrails, a popular hiking app with more than 30 million registered users. The AllTrails records appear to show the official visiting sensitive locations such as the White House, and also suggests the specific house where he or his family lives.
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.
The news highlights the sometimes overlooked privacy implications of exercise apps, similar to how a researcher previously found another app called Strava was exposing the location of U.S. military bases. By default, AllTrails users’ activity is public for anyone to view, including completed trails, maps, and activities. But that convenience and focus on providing a social network style experience comes with potential risks around national security or privacy, depending on the particular user. Whether a public figure like a government official or celebrity, or someone at risk of stalking in general such as someone in an abusive relationship, AllTrails’ privacy settings may be something users should consider. “I found interesting results by searching near the Pentagon, NSA, CIA or White House and then looking at the user's other activity,” Wojciech, the security researcher, told Motherboard in an email.
Do you know about any similar data leaks? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email email@example.com.
Wojciech said they used their own open source intelligence platform as part of the investigative process. They said the tool supports Strava and another app called SportsTracker, and will include AllTrails itself soon.Wojciech sent Motherboard a link to what they believed to be the AllTrails profile of the former top Biden official. Motherboard is not naming the official because they did not respond to requests for comment, and their profile is still publicly accessible. One trip to the White House in December recorded in AllTrails also shows a nearby apartment building he ended his journey at. More trips recorded that month show the official’s other movements throughout Washington D.C. Much of the AllTrails activity relates to when this official was part of the administration.Motherboard searched through the official’s AllTrails activity and found multiple hikes starting from the same location. Motherboard then queried public records and found this location was a house registered to the official’s family, meaning AllTrails had helped identify where the official or his family may have been living.
Motherboard also verified that the official does have an account on AllTrails by attempting to sign up to the service with the official’s personal email address. This was not possible because the address was already registered to an account.AllTrails lets users search for nearby trails, track their progress on routes, and read reviews of trails from other hikers. It’s something of a cross between an exercise app and a social network, with features such as followers and people able to post their own content.In Motherboard’s tests, there is no pop-up or similar warning on account creation about AllTrails’ data being public by default. To adjust their settings, users need to navigate to their profile, and then click “Privacy settings.” From here, they can change their complete trails, activities, and maps from the default “public” setting to “followers only” or only themselves.“AllTrails is a public community-based platform for users to share their outdoor hiking and trail experiences. Importantly, we offer customizable privacy settings that give users the option to choose what content is visible to whom. That means users control visibility settings for all of their own content, including activities, completed trails, maps, and lists,” Meaghan Praznik, head of communications at AllTrails, told Motherboard in an email. Praznik did not say whether AllTrails has had any conversations with U.S. government representatives about the potential for sensitive information to be generated through its service.On its site, AllTrails provides an FAQ that tells users how they can remove their profile from Google search, and more. After researchers, journalists, and members of the public poured over data leaking from Strava, the U.S. military reviewed the rules around the use of apps by its personnel.The office which the former top Biden official worked at did not respond to a request for comment.Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.