> The API allows an application to check if a mobile device is in proximity of a...

legulere · on Aug 11, 2023

With adjustable accuracy range you can do binary search to find out where someone is.

PreInternet01 · on Aug 11, 2023

Which is where API rate limits come in. But if you really need to know where someone is, today, just be a telco with its own mobile infrastructure, and you can pretty much query the current network+cell ID of any of your subscribers without any limitations.

Same goes for anyone with, say, subpoena powers in your jurisdiction and/or sufficient (social) engineering skills. And cell ID to geo mapping is also a solved problem...

mplewis · on Aug 11, 2023

API rate limits don't keep you from doing the nasty stuff when you want to target one specific individual.

wolpoli · on Aug 11, 2023

Even if API rate limit exists and is strictly enforced, it's also easy to bypass it with multiple API keys and over time. Most people adhere to a weekly schedule.

Koffiepoeder · on Aug 11, 2023

Rate limits can also be based on the message contents, e. g. max 20 lookups per day for a cell.

wongarsu · on Aug 11, 2023

Assuming you already know what continent somebody is on, 20 circles of 200km radius (120 miles) should cover most of the major population centers.

If you live out in Nebraska or the middle of the Sahara this attack is easy to defend against, but humans tend to clump up.

zamadatix · on Aug 12, 2023

Sounds like a great way to DoS someone out of being able to use their banking app.

barbazoo · on Aug 11, 2023

Depends on the limit and how it's implemented

barbazoo · on Aug 11, 2023

> AND no rate limit exists.

m4rtink · on Aug 11, 2023

Sounds like you can just easily triangulete someone using this API.

downrightmike · on Aug 11, 2023

Yeah, the apple air tags do something similar, the more devices the more accurate the location