Researchers have discovered that US retail pharmacy giant CVS' app has been inadvertently sharing users' location data with more than 40 web servers.
Serge Egelman, director of usable security and private research at the International Computer Science Institute in Berkeley, California, reported that the CVS pharmacy mobile app's store locator feature includes a privacy flaw that results in it accidentally sending out GPS coordinates to outside web servers.
When the researchers made the discovery, Egelman said they "could not imagine a legitimate reason" why an app would share location data with so many third parties and thought there was an issue with their own analysis tools.
"We double checked our logs and even manually re-tested the app. It wasn't an error; we were able to reproduce this result every time, on multiple versions of the app," Egelman wrote in a blog post.
The app's store locator feature allows users to find pharmacies nearby by sending a person's location to the company's servers.
However, the researchers found that they also inadvertently sent these details to any other server that loads on the CVS store locator's web page.
These include ads from various third-party entities such as Google, Facebook and Twitter.
For example, some of the URLs that received GPS coordinates from the CVS app included "www.googleadservices.com", "www.facebook.com" and "analytics.twitter.com".
Researchers said they have "no idea" why the app would be set up to function this way but suspects "the most likely explanation is simply really poor software engineering practices".
"We literally cannot think of any legitimate reason for doing this," Egelman said. "Given that most of the recipients of the location data likely aren't expecting to receive GPS coordinates via the User-Agent string, it's likely that many aren't aware that they're even receiving them from CVS app users.
"Of course, they likely have the data stored somewhere, and could possibly be using it. We can't know for sure."
The researchers have contacted and shared the research with CVS regarding the flaw. In response, the company claimed they "do not share your location or information with any third parties."
"You may however, if you are not using our app, turn off the locations," the firm said in response to Egelman's email.
"This is empirically false," Egelman said in a separate blog post. "They also claim that I can turn off location-sharing, but only if I'm not using their app. I can only assume that's a typo, rather than a statement that their app users cannot opt out of location-sharing."
IBTimes UK has reached out to CVS for comment.