Security vulnerabilities in hundreds of GPS tracking services have been discovered by security experts, that could risk the exposure of sensitive data on millions of devices. The flaws affect GPS services that gather users' geolocation data from smart GPS-enabled devices such as kids trackers, pets trackers, and car trackers, among others.

The vulnerabilities were discovered by two security researchers – Vangelis Stykas and Michael Gruhn – who in a report titled "Trackmageddon" detail GPS services using laughably weak passwords (123456), unsecured APIs and more, could potentially allow hackers access to users' location data and more.

Gruhn told IBTimes UK that the vulnerable GPS tracking services were found exposing a whole host of sensitive data including location information, device model and type information, IMEI numbers, phone numbers and custom assigned names. In some cases, photos and audio recordings uploaded by devices were also found exposed.

Gruhn told us that Vangelis was the first to discover the flaws in http://gpsui.net on 13 November 2017, who then reached out to Gruhn on Twitter. Between 18 November and 25 November last year, the duo discovered the flaws in multiple domains. Despite having attempted to contact all the affected online services, they still remain vulnerable.

The researchers believe that ThinkRace, one of the largest global vendors for GPS tracking devices, may have been the original developer of the vulnerable online service and software, which the firm licensed to other vendors. Although the four ThinkRace domains affected by the vulnerabilities have been fixed, the other domains still using the same flawed services remain vulnerable.

"Our moral dilemma was that users cannot remove their location history. Only a vendor can do that," Gruhn told Bleeping Computer. "We disclosed because we rated the risk posed by attackers extracting live location data (that is an attacker knowing where you currently are every time you use the device) far higher than the risk posed by an attacker knowing where you have been in the past. So users can now protect themselves from the far worse attacks by not using the devices even if this means their location history remains exposed because vendors are not fixing this."

According to Gruhn, the estimated number of devices affected by the vulnerabilities fall short of six million, however, the actual number could vary given that not all affected devices may be active.

"We have 79 domains (including sub-domains) listed as still vulnerable. But we cannot eliminate the possibility that there are other sub-domains under a vulnerable domain. Neither can we rule out that there are more websites that exhibit the same vulnerabilities," Gruhn told CSO online.

Click here to find the entire list of affected domains and read the Trackmageddon report.