Check-In Services Glitches Allow Customer Impersonation

The increasingly popular check-in services, where users let friends know where they are by "checking in" at specific retailers using their smartphones, have two major security flaws, according to one independent testing firm.

The first allows consumers to easily impersonate other users—and thereby access their rewards, which means the stores are not attracting the consumer they wanted to attract—and the second defeats users' efforts to go into a confidential mode, where their whereabouts are not supposed to be distributed.

At least one of the check-in services, which include Foursquare, Gowalla and Brightkite, suffers from the impersonation bug, according to Matt Johnston, VP/Marketing for uTest, a crowd-sourced software testing firm. Johnston wouldn't say which vendor's products suffer from that flaw.

The impersonation bug involves changing a few characters in the URL. Specifically, the consumer replaces his/her login name with the name of the person being targeted. Getting users' names is easy, especially if you're already on one of their lists.

With that URL change—no password is required—the system allows all E-mail and privacy settings to be changed, which should provide access to all data.

The problem with the end-user privacy setting—termed something like "going dark," "offline" or "off the grid"—is that, according to one uTest reviewer, "if anyone subscribes to this feed via RSS, they continue to see your off-the-grid checkins. So my secret date or job interview is no longer private!"

The vendor with that last glitch, Johnston said, had apparently tried to be thorough in its off-the-grid feature, "as it did shutdown synching with Facebook and Twitter. They considered this, but they didn't take it all the way through."

Johnston said the companies with the glitches had been alerted and are in the process of trying to address the problems.