Tradono, yet another mobile app that leaks location-data

It seems like every mobile application today needs to interact with the users’ location, which is all fun and games until it starts leaking your location to everyone else.

A couple of months ago I wrote about Teazr, a dating app trying to take on Tinder, now renamed Blume, that leaked its users’ exact location. This is especially sad when the whole premise was to be safer than the competitors.

Along comes Tradono, a flea-market app, where users can buy and sell items, and where you can filter items close to you. They recently closed a double-digit investment from Switzerland.

First hassle, it’s pin-protected #

So Tradono isn’t launched in every country yet. The app believes for some strange reason I am in Bruges, Belgium. In reality I am in the UK, but no matter what, I am locked out, and need a code to enter.

That is easily bypassed, since the code is 1234:

Poking around, finding user locations #

When you use the application you can change your location to a busier area. I picked Odense, Denmark, birth city of world-famous H.C. Andersen and immediately found the endpoint of a seller:

https://api.tradono.com/users/:user_id/feed?limit=30&offset=0

If you happen to find a seller’s user-id, you hit jackpot; you get a big JSON-file back, with lots of objects. One of the objects is a “geography”-object which seems to use latlongs with less digits meaning it is less precise, but they also include a “location”-object that includes the user’s location from GPS.

My data is here (I’ve omitted a lot):

[
  {
    "user": {
      "id": 395923,
      "username": "KasperGrubbe",
      "firstname": "Kasper",
      "lastname": "Grubbe",
      "geography": {
        "id": 316,
        "country": {
          "id": 4,
          "name": "Belgium",
          "countryCode": "BE",
          "currency": "EUR",
          "topLevelDomain": "be",
          "limitFeedToBorders": false
        },
        "name": "Bruges",
        "location": [
          51.2607534,
          3.1521061
        ],
    },
    "location": [
      52.91413510465525,
      -1.151836865286622
    ]
  }
]

So what’s the problem? #

Users do not expect their exact location to be shared with everyone else.

And if I was a smart thief, I would now know what items are available in my area, their value and their exact location, all thanks to Tradono.

Working towards a fix #

02:23 - Sunday, 3/6-2016 - Sent a message to Tradono on Facebook, since I couldn’t find a contact email address (Yes, 02 in the morning!)

18:28 - Monday, 4/6-2016 - No answer, wrote again on Facebook. I managed to find a contact email address inside the application so I wrote there as well.

10:53 - Wednesday, 6/6-2016 - Still no answer, pinged them on Twitter and asked how to get in contact with them.

I never heard back.

2017 - A media company from Switzerland named Tamedia, buys the share majority of Tradono, they also own Trendsales, another app that allows users to sell used products to each other.

2019 - Tradono is fully merged with Trendsales, and will cease to exist on its own.

2024 - Trendsales is sold to Vinted, months later they kill off Trendsales and directs their users to Vinted.

 
2
Kudos
 
2
Kudos

Now read this

Tsohost.com stores passwords in cleartext

Okay, it is 2015, we all know that is it a horrendously bad idea to store passwords in cleartext. Yet, when I log in to Tsohost’s interface I am greeted with this: Ugh! So either they store one version of the password in cleartext, and... Continue →