CVS app sends your location to outside servers, researchers say

Don't worry about finding a nearby pharmacy -- they'll find you, a new report suggests. 

Thanks to a coding error with the CVS app, the massive US retail pharmacy has been inadvertently sharing users' locations with more than 40 web servers, privacy experts say.

The app for the drug store allows you to get coupons as well as refill your prescription and find nearby pharmacies. The store-locator feature contains the privacy flaw, which has resulted in the app sending out GPS coordinates to outside entities, said Serge Egelman, director of security and privacy research at the International Computer Science Institute. ICSI is affiliated with the University of California at Berkeley.

The store-locator feature works by sending your location to the company's own servers to figure out if there's a pharmacy nearby, Egelman said. The problem is that it's also sending the details to every other server that loads on the page, Egelman's team found. So any ad that pops up on the locator's webpage, whether it's advertising from Google, Facebook, or Twitter, is also getting your location. Some of the URLs that the CVS app was sending users' locations to included "static.ads-twitter.com" and "www.googleadservices.com."

Egelman said he doesn't think CVS is actively trying to sell its users' location.

"The way that they share the data and the sheer number of third parties with whom they share it seems to be a mistake," Egelman said. "My opinion is that this is simply bad coding, but I obviously can't be certain."

CVS didn't respond to a request for comment.

Egelman shared the research with CVS, but the GPS-sharing flaw hasn't yet been fixed, he said.

The flaw has only been found on the Android version of the app, but Egelman said his team hasn't looked at the iOS version in depth. 

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.

iHate: CNET looks at how intolerance is taking over the internet.