The Issue

FourSquare, a location-based social networking site, allows its users to “check in” at various venues with their mobile devices, and check in on friends. The app provides privacy settings so that users can show their locations only to listed friends, and its policy promises its users that “You can opt out of such broadcasts through your privacy settings.”

However, in June 2010, white-hat hacker Jesper Andersen successfully built a website to exploit a bug within the software. He was able to access data from 870,000 users, even those whose data was supposed to be limited to “friends only.”

The Concerns

For many, location privacy is of little concern. However, there have been many cases in which abusive husbands have used credit card statements to track wives in hiding. FourSquare makes location tracking even easier for such stalkers, and sadly, it has already been abused in this manner:

On February 2010, food blogger Sarah J. Gim checked in on FourSquare at the Loteria Grill. Ten minutes later, she received a phone call from someone at the restaurant’s front desk. The caller asked her what she was doing there and told her he’d be waiting for her at her apartment.

“I was on a date, but because he was a new person I sort of felt weird and just said I had to leave,” Gim said. “Then I walked next door to Geisha house, called a friend and I stayed at her place. I was kind of freaked out.”

FourSquare has also been abused by credit card scammers. In March 2010, angel investor Paige Craig checked in at Gold’s Gym in Venice. A little while after, an employee told him that a man named Ron was on the phone for him. Ron informed Craig that his credit card had been declined, and asked Craig to confirm his credit card number to him. Fortunately, Craig knew enough about social scams to hang up immediately. Yet many victims of FourSquare scammers may not be so fortunate.

FourSquare’s Response
Days after Andersen reported the leak, FourSquare emailed him to inform him that it had fixed one of the bugs he had found. Yet FourSquare had not yet solved two other privacy holes, claiming that it was still trying to figure out how to balance usability with privacy.

FourSquare did not disclose the privacy leak right away. Instead, it reported that it had closed a deal of $20 million in venture capital. Only after the deal was completed did FourSquare acknowledge to its customers that its software bug had leaked their private data.

For sources, see our References page.

A bug in FourSquare’s software allowed strangers outside your list of friends to access your private location data.