Researchers affiliated with the International Computer Science Institute in Berkeley, California, have discovered a flaw in U.S. pharmacy-giant CVS’ iOS app, which has apparently been causing the mobile application to “inadvertently share users’ location data with more than 40 web servers.” That’s according to Serge Egelman, director of user security and private research at ICSI, who shared his team’s findings with both CVS and the International Business Times this week.

According to the report, Egelman and his team discovered the “critical privacy flaw” within the CVS Pharmacy mobile app’s in-built Store Locator feature, which results in the app dispatching the user’s precise GPS coordinates to “dozens of third-party web servers.” Egelman said he and his team “could not imagine a legitimate reason” why an app like CVS’ would share customer’s location data with so many third-party sources.

How Does This Happen?

The CVS Pharmacy mobile app for iOS comes standard with a GPS-driven Store Locator feature, allowing shoppers to locate and get directions to their nearest CVS pharmacy location by merely sending their GPS location data directly to one of the company’s servers. Sounds fairly simple and harmless enough, right? Well, Egelman and his team unfortunately found that the CVS app was inexplicably sending these vital customer details to “any other server that loads on the CVS store locator’s web page.”

“We double checked our logs and even manually re-tested the app. It wasn’t an error; we were able to reproduce this result every time, on multiple versions of the app,” Egelman said about his team’s efforts to pin-point the issue in a blog post, while adding that he believes “the most likely explanation is simply really poor software engineering practices.”

Researchers went on to say they have no idea why or how the CVS app would be voluntarily configured to function the way it was found, but Egelman has nevertheless reported contacting CVS and sharing his team’s findings with them.. As for CVS’ response? Well, it certainly begs a few more questions than it answers: “[CVS] does not share your location or information with any third parties,” the company allegedly said in response to Egelman’s email. “You may, however, if you are not using our app, turn off the locations.”