A cell-phone tracking service called LocationSmart reportedly made anyone’s location available for the asking through a flaw in a public demo website.

The site was designed to require a user to opt in through their phone before disclosing their location, but an apparent error in an API it used made it possible for anyone to get anyone else’s geographic coordinates without their consent, simply by asking for the data in a particular format, according to a blog post by Robert Xiao, the Carnegie Mellon University researcher who spotted the bug.

“That’s all,” he wrote. “The entire consent process is bypassed and you have the phone’s location.”

The LocationSmart demo page. Its website boasts access to databases of the major U.S. phone providers [Screenshot: Locationsmart.com]

Under normal circumstances, the demo will only track phones in real time after receiving opt-in consent from the phone’s user via an automated text message or phone call. But using the application programming interface (API) that powers the demo, Xiao requested a phone number’s location in JSON format, instead of the default XML format.

“For some reason,” he writes, “this also suppresses the consent (“subscription”) check,” a bit of code the API typically uses to require that consent has been obtained. In return, Xiao received a page with the phone’s latitude and longitude.

Location information was available for subscribers to at least the four largest U.S. carriers–Verizon, AT&T, T-Mobile, and Sprint–according to KrebsOnSecurity, which first reported the story. LocationSmart told KrebsOnSecurity the…