PITTSBURGH, PENNSYLVANIA — A company that collects real-time location data of millions of cell phone users throughout North America had a bug on its website that let anyone see where a person was located without having to obtain consent.

LocationSmart is a data aggregator and says it has "direct connections" to cell carriers to obtain location information from nearby cell towers, according to ZDNet.
The website has a trial-page that allows interested customers to test the accuracy of the system.

The page requires explicit consent from the user before location data can be collected by sending a one-time text message.

However, a bug on the website discovered by Carnegie Mellon University researcher Robert Xiao, allowed anyone to track someone's location without their consent.
Xiao told ZDNet, a simple bug allowed a person to skip the consent section and jump straight to the location.

In a statement from spokesperson Brenda Schafer, LocationSmart "confirmed that the vulnerability was not exploited prior to May 16, and did not result in any customer information being obtained without their permission."
Xiao said the bug may have exposed almost every cell phone user in North America, around 200 million customers, ZDNet reported.