Want CNET to notify you of price drops and the latest stories?

CVS app sends your location to outside servers, researchers say

Privacy experts say the pharmacy inadvertently sends users' whereabouts to more than 40 web servers, including ones owned by Google, Twitter and Facebook.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read

CVS Pharmacy's store locator feature is also inadvertently sending your location data out, according to researchers.

Saul Loeb / AFP/Getty Images

Don't worry about finding a nearby pharmacy -- they'll find you, a new report suggests. 

Thanks to a coding error with the CVS app, the massive US retail pharmacy has been inadvertently sharing users' locations with more than 40 web servers, privacy experts say.

The app for the drug store allows you to get coupons as well as refill your prescription and find nearby pharmacies. The store-locator feature contains the privacy flaw, which has resulted in the app sending out GPS coordinates to outside entities, said Serge Egelman, director of security and privacy research at the International Computer Science Institute. ICSI is affiliated with the University of California at Berkeley.

The store-locator feature works by sending your location to the company's own servers to figure out if there's a pharmacy nearby, Egelman said. The problem is that it's also sending the details to every other server that loads on the page, Egelman's team found. So any ad that pops up on the locator's webpage, whether it's advertising from Google, Facebook, or Twitter, is also getting your location. Some of the URLs that the CVS app was sending users' locations to included "static.ads-twitter.com" and "www.googleadservices.com."

Egelman said he doesn't think CVS is actively trying to sell its users' location.

"The way that they share the data and the sheer number of third parties with whom they share it seems to be a mistake," Egelman said. "My opinion is that this is simply bad coding, but I obviously can't be certain."

CVS didn't respond to a request for comment.

Egelman shared the research with CVS, but the GPS-sharing flaw hasn't yet been fixed, he said.

The flaw has only been found on the Android version of the app, but Egelman said his team hasn't looked at the iOS version in depth. 

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.

iHate: CNET looks at how intolerance is taking over the internet.