Geolocation XSS Tracker Proof of Concept

Jamie found a bit of a scary link this morning that demonstrates a router XSS getting your MAC address and using it to map your current location. Which I'm sure is totally no big deal for anyone.

Re:

[lpq]

Not very impressive.
1) (as others have pointed out) I don't see how it's any different than IP lookup.
2) First attempted - nothing worked, (need to temporarily allow scripts on samy.pl
3) Then I get prompt "samy.pl wants you to share information about your location. Share (y/n) [ ] - remember this decision?"... (ok, no, don't remember)
4) It returned my location accurate within 120km (75miles). Not very impressive.

Re:

[scdeimos]

Indeed.

Using XSS & Google To Find Physical Location

http://it.slashdot.org/article.pl?sid=10/08/03/0117215 [slashdot.org]

Re:

[flaming error]

TFA isn't very long. Author explains that the address it shows initially is:

"(Example: MAC of my previous router, 00-11-24-ec-72-cf, actually located at 7070 Flight Ave, Culver City CA for comparison)"

Comedy plot

[lullabud]

This would make for an awesome geek comedy plot in the vein of The Big Lebowski or so, where some stupid script kiddies think this is a reliable hack to rob somebody's house, and when they show up the people are still there, but it's not who they thought it was, it's somebody far more nefarious who thinks that the script kiddies are somebody else who perhaps owes them something and then the nefarious people force the script kiddies to do awful things anyway since they are now wrapped up in the whole thing.

Re:

[jbezorg]

Dan Brown? Is that you?

Re:

[thedonger]

Sounds more like Guy Ritchie.

Geoduping

[__aagctu1952]

Even worse, with some clever XSS you can make Slashdot post the same story twice [slashdot.org]!
Oh wait, that's just shitty editing. Sorry.

Re:

[maxwell demon]

Yeah, that's why they put it in the dupe section:
http://dupe.slashdot.org/story/10/10/04/164241/Geolocation-XSS-Tracker-Proof-of-Concept [slashdot.org]

Fail for my MAC

[AliasMarlowe]

Well, I entered my router's MAC just for giggles, and it said "Sorry, didn't find anything". This router has been continuously connected with a fixed public IP address for over a year.
Then I entered my previous router's MAC, and got the same result. The previous router is in storage in the attic, but was in use with very few brief breaks for about 6 years. Also with a fixed public IP address.
Clearly, their MAC geolocation database has a teeny hole - or more likely loads of vast gaping chasms.

Re:

[Athanasius]

You didn't state if your routers have WiFi. That's pretty much what is necessary for this trick to work. My recently bought and implemented WAP does indeed have a geolocation (heck, I uploaded it to Wigle myself), but my nearly 8 year old DSL-only router doesn't, no surprise.

Re:

[AliasMarlowe]

You didn't state if your routers have WiFi.

My oversight.
New/old routers have WiFi which is/was enabled, albeit with MAC filtering and WPA2 (the old one had WPA). The Google Streetview camera car has been through the area last year, so they should have harvested the router's MAC address. Hell, one of our cars is fairly distinctive and appears to be in one of the online images on Streetview.

Re:Fail for my MAC

[gad_zuki!]

Hmm, just guessing, but are you checking your wifi interface MAC and not your wired interface wifi? Also, hows the reception outside your home? If the streetview car can't see your SSID's then its not going to get that MAC. I'm not certain if google's sniffer was able to sniff pre-encrypted headers with the MAC if SSID broadcast is disabled.

Re:

[daveime]

Pretty much everywhere that has Google Streetview I'd guess ...

It seems to default back to IP geolocation (despite claims that it doesn't), as it got the correct country and city, but at least 30km out on the position for my router / static IP address.

If your routers MAC hasn't been scanned, how could they possibly match it in a DB ? This is no more "scary" than the fact they scanned places in the first place, and now are happy to release that info to anyone who queries it.

Re:

[anUnhandledException]

Which has nothing to do with this article.

Re:

[Anonymous Coward]

Good job, dumbass. Now you are uniquely identifiable.

Re:

[shentino]

It could always be randomly generated.

Re:

[oldspewey]

Candy Browser (Graham Cracker OS 4_1) Version/2.7

Hell, it can't be any worse at rendering standard HTML/CSS than IE.

Re:

[daveime]

Which standard ?

The one that is already 10 years out of date, or the new one that will be 10 years out of date before it's finalized ?

Re:

[phantomcircuit]

MAC based geolocation of wireless routers is far more accurate than geolocation using ip alone.

Re:

[SoTuA]

Well, in my case the IP-based location is accurate to 5 miles, while this guy's thingy placed me 50 miles away...

Re:

[phantomcircuit]

His XSS only works against the verizon FiOS router.

Re:

[choongiri]

It's not geolocation in the traditional sense, because it's not mapping an IP address to a location. It's combining an XSS attack which gets your mac address from your router (from the inside of your network) with google's MAC to location lookup from their massive drive-by wifi sniffing done when the streetview car drives past your house. Typically a server can determine your IP address, and use that to map your approximate location. This can determine your MAC address and (in some cases) use that to determ

Re:

[autocracy]

Google will certainly grab the MAC address of any broadcasting base station whether or not encryption is in use -- the SSID and MAC are not encrypted. I think the only question is whether they will grab the SSID of of a non-broadcasting station that is in use.

Re:

[radish]

You forgot

c) Not moved the router since google came by

Re:

[choongiri]

Of course, it also doesn't work if you move your router somewhere else after google sniffs it.

Re:

[nzwasp]

On his website he states that the google car got my wifi mac address, but the google car drove past 2 years ago and I wasnt living there so must be mapping mac to IP as i also changed my wifi router about 3 months ago. Unless the google car has come by again (which i doubt) and if it has then where are my updated streetview pics google!

Or, maybe it doesn't

[loftwyr]

Apparently my router is currently sitting in the former main office of the major telco for my area. Which is across town from me.

And here I was thinking it was on my desk.

So, fail

Re:

[MorderVonAllem]

Heh, mine says it's across the country. My home one says I'm in Hawaii...when I'm much closer to Hawaii's 9th island.

Re:Or, maybe it doesn't

[TooMuchToDo]

Mine was dead on, with the blue dot indicator actually on top of my townhouse (out of 5). Clearly, YMMV.

Re:

[DerKlempner]

I think, perhaps, that you may be the exception instead of the rule. I checked my router's MAC address and the response was a town northwest of Seattle (I live in southeast Wisconsin). Chances are that many of the results will be the router's origin: the manufacturing site.

Re:

[baptiste]

Yup - same here. I live in a relatively rural area and the location was exact. Like posters above said - matters not about encryption as the MAC address is sent clear (all my APs are WPA2 only)

Re:

[dnrck]

Mine was within my block but not quite dead...still worrying.

Re:

[wvmarle]

Not sure what it is supposed to do but the map at the bottom of the page indicates some location somewhere in the US.

I'm at least 16 hours flight away (that's the shortest flight from here to north-west US; to get to the south-east it's more like 20 hours).

Appears like a total fail. And I can't be bothered to try and find the MAC address of my wifi router to enter it in that site. I just used the Firefox location thing.

Total fail for me too. Many times I've been located (by IP address) to at least the co

Re:

[flyingfsck]

My MAC is in Scottsdale AZ USA, but I am 11 hours away, almost exactly on the other side of the earth. Oh well, what the hell.

Not found...

[Retron]

No location given when I entered my MAC on the test site. Pah.

Wow!

[schnikies79]

I'm in southern Indiana. It says I'm in Chicago.

So close...

wildly off

[zufar]

I'm in Moscow, but my coordinates seem to be
"latitude":34.0919483
"longitude":-118.3462152
"country":"United States"
"country_code":"US"
"region":"California"
"county":"Los Angeles"
"city":"Los Angeles"
"street":"N Formosa Ave"
"street_number":"1140"
"postal_code":"90046"
"accuracy":36.0

Re:

[idontgno]

In Soviet Los Angeles...

Nope. That's it, that's all I've got. Damn. Seemed so promising.

Re:

[feepness]

In Soviet Los Angeles... Nope. That's it, that's all I've got. Damn. Seemed so promising.

Internet searches you!

Re:

[daveime]

In Soviet Russia, button presses idiot ?

Re:

[wvmarle]

I get the exact same location. Accessing this site from Hong Kong.

Re:

[wvmarle]

To follow up on my own post:

I just tried the example MAC that is given on the web site, and that one failed as well. Also that same location in Los Angeles, USA.

Not sure what's going on here but as proof of concept it seems to fail pretty miserably for me. Oh and that's with the latest Firefox (v.3.6.10) available on Ubuntu 10.04.

Re:

[Ksevio]

That's the default for the page - you have to click one of the links on the page to change things.

In Firefox/Opera, click the link in "If you're on Firefox, you can test the Location Services by clicking here. " and the map will change.

Apparently my computer does not exist.

[Even on Slashdot FOE]

It has no data on my MAC, but here I am posting away. I wonder what sort of app I'm using to post without a computer.

Dead beef

[Abstrackt]

Apparently 00-de-ad-be-ef-00 is in downtown Toronto.

Re:

[drdrgivemethenews]

00-ca-fe-ba-be-00 is in Moscow, on the other hand. What does that say about Java?

Re:

[Joe Snipe]

00-de-ad-ba-be-00 is in the Highlands.

The Cross-site Scripting (XSS) FAQ

[mrkitty]

The XSS FAQ
http://www.cgisecurity.com/xss-faq.html [cgisecurity.com]

NoScript addon protects you from this

[plastick]

NoScript will protect you from this (XSS) - even if you have it set to globally allow javascript.

Not found

[iONiUM]

Mine says not found. Probably because I don't have broadcast SSID on my wireless, judging by the procedure he's using (google locator). If this is the case, why does anyone broadcast their SSID to begin with? I never really understood that. There's no benefit for home users, since chances are 99% of the devices you use on a daily basis are not new, and so you only have to take the extra 5 seconds to manually enter the SSID once.

Re:Not found

[Anonymous Coward]

Short answer: It's easier, and more secure.

If you don't broadcast your SSID, your laptop or other devices will keep polling for it when its not around, thus you're essentially broadcasting your SSID wherever you go.

http://www.howtogeek.com/howto/28653/debunking-myths-is-hiding-your-wireless-ssid-really-more-secure/ is a good read.

On a sort of unrelated note, I was slightly disappointed that even when I hand-fed this script my mac address it still didnt have my location. Then I remembered I changed my mac address to try to fix some problems with comcast, and google had my old one. I wonder if theres anything to be gained by spoofing your mac address as one from another location, possibly to circumvent some geolocked content?

Re:

[Synonymous Homonym]

I wonder if theres anything to be gained by spoofing your mac address as one from another location, possibly to circumvent some geolocked content?

Unlikely. Such things are usually geolocated via IP address, not MAC.
You could maybe spoof your IP address, or use an appropriate proxy.

re: broadcast SSID

[King_TJ]

I find broadcasting the SSID helps greatly in troubleshooting wireless issues for other people, if nothing else.
If I get called out to the typical home user's place to help them "fix their problems getting on the Internet", they often don't have any clue what their SSID is set to. All they know is that "It worked ever since the Geeksquad guys came out and set it all up for us!" or what-have-you.

On more than one occasion, I discovered the reason someone had issues had to do with neighbors buying new Linksys

Re:

[pongo000]

Mine says not found. Probably because I don't have broadcast SSID on my wireless, judging by the procedure he's using (google locator).

I don't broadcast my SSID, never have. Yet this script located my browser to within about a 500 ft. radius of my address.

Well mine just doesn't work at all!

[rrossman2]

Typed in the MAC (00-23-97-20-EA-9B) and got this: Sorry, didn't find anything for 00-23-97-20-ea-9b.

Also tried the other two links.. one just brings up my router page (192.168.1.1:80) which asks for a login & password, and the firefox one (I'm using Chrome) doesn't work either. Well kind of. If I enable location services in Chrome, it will load a map, but it won't place a mark anywhere, and it's centered on a town about a 35 minute drive away.

Doesn't work 3.6.10,, noscript, flashblock, BP

[Maxo-Texas]

Allowed his page temporarily but still doesn't work.

Other than google analytics, everything else is permitted.

no script,
flashblock,
adblock,
web of trust
better privacy

This is a flaw in Westell UltraLine Series3 Router

[tyrr]

The XSS posted works only on a small class of SOHO routers, e.g. Westell UltraLine Series3 Routers.
If you have anything more sophisticated then a Westell UltraLine Series3 router, you are not affected.
The XSS uses the factory default router IP 192.168.1.1 to send HTTP requests to your router.

Obscurity for the win!

[Urban Garlic]

So it sounds like my house is immune for many obscure reasons, which is to say, I apparently have been practicing "obscurity in depth" as my security strategy.

Firstly, for slightly complicated historical reasons, I have my internal home network on 192.168.N.0/24, where N is not zero or one.

Secondly, my desktop machines are not on the wireless, they're wired to the router, and the wired port has a different MAC than the wireless, invisible to Google.

Thirdly, I don't broadcast my SSID, which might mean it's n

pretty close

[corbettw]

He didn't get my address, but he did my neighbor, Mike's house across the street. Which means anyone trying to rob me will go there, instead. Which means I guess it's perfectly safe for me to leave this on, since I don't much like Mike, anyway.

This should read "WIRELESS MAC"

[LanMan04]

Isn't this just looking at wardriving data that was submitted to various wardriving geolocation databases?

1) You broadcast your wireless MAC to the universe via wireless.
2) Dude picks it up on a wardrive scan.
3) Dude uploads his logs to http://wigle.net/ [wigle.net] or some other database.
4) Google gets data from these databases (how?) and puts it into their geolocation database

I know I've uploaded my own wireless MAC to wigle before, so no help there. Then again, I have an android phone that connects to my wireless ro

Broken XSS

[MrMacman2u]

I have the same router, but apparently the script is broken if you have your internal DHCP server dishing out any other IP range BESIDES 192.168.1.x

Mine is set to 192.168.25.1 and the script failed on an unprotected browser.

Could this be another win for non-standard setups... Or would this be easy enough to code around?

Who needs XSS?

[darkain]

I cannot count the number of ISPs that I've had to deal with where if you do a reverse-dns lookup of a user's IP address, their MAC address shows up in the DNS name given by the ISP's DNS server. Moreso from this, virtually every wireless router I've worked on to date has the WAN, LAN, and Wifi MAC address in sequential order.

So, who needs XSS for this? Simply pull a reverse-dns of the IP address, and odds are that the MAC address will be +- 1 or 2 away from the WAN MAC that the ISP just handed over to you

Wierd

[ichthus]

I have two Wireless APs -- one of which is only active occasionally for guests. Here's what I got when I entered my MACs:

Everyday (always on) router: It found my city, but the address was about two miles away.

Guest router: It pinpointed my father-in-law's address. This is strange, because my router has never been located at his house. But, HE HAS CONNECTED TO MY ROUTER. Interesting.

I checked the first address again, and this would be a friend's house, who I once connected his laptop to my network when I was fixing it.

I'm not completely familiar with 802.11, but it would appear that computers that had previously connected to my MAC are regularly pinging this MAC in such a way as to be received by the Google drive-by's and recorded as actual MACs of actual APs. Is there another explanation?

Re:

[KingPin27]

It's reassuring to know that there is a 1:1 relationship between devices and mac addresses and that each device in the world that requires a mac address has its own very unique mac and that there is no duplication. Heaven forbid the calamity that should arise if there was any duplication at all.

Re:

[wvmarle]

Guest router: It pinpointed my father-in-law's address. This is strange, because my router has never been located at his house. But, HE HAS CONNECTED TO MY ROUTER. Interesting.

Possible scenario for your guest router:

- your father has likely given Google the exact location of his laptop, while at his own home. Can be very useful for personalising search results.

- also because he's done Google searches before so probably he's got a cookie uniquely identifying that laptop, if only for those personalised search results.

- he connects to your guest router: Google finds that this laptop now has a new MAC address, and uses the previously known location information to link to the new M

PDF Presentation

[robertkeizer]

It's worth noting that the presentation titled "Bad Memmories" was presented at the BlackHat conference is very similar to this. PDF available http://media.blackhat.com/bh-us-10/whitepapers/Bursztein_Gourdin_Rydstedt/BlackHat-USA-2010-Bursztein-Bad-Memories-wp.pdf [blackhat.com]

Wow it did Work!

[citylivin]

I am amazed that this actually is tracked by the google van or whatever. It found my old address based on the mac address of my wireless adapter in that particular router. The wan and lan addresses were not found. So it appears that google has a list of many MAC addresses and their locations. Quite scary, and obviously impossible to opt out of.

I really hope some north american government looks into this. What possible non abusive use could this possibly serve? At least the router i am using allows me to cha

Re:

[wvmarle]

Obvious use: personalised search results.

E.g. you're looking for "take-away pizza" then they can look for the pizza shops closest to your location, without you having to dig through the results manually or having to enter your address yourself.

My MAC address?!

[Cyko_01]

Phew! good thing I use a PC

Getting more fun

[AHuxley]

With Apple devices only using wifi/telcos, maps grabbing MACS, apps grabbing gps/MAC/serial numbers. Ads tracking deep in flash/html5 databases.
Modems/wifi units selling with bar code MACS on the side of the box with online extra warranty forms.
This is all a lot of internal work to track a few ads to message you about 'free' coffee as you walk past a cafe.
Is the MAC one of the few stats of value now in any device?
Why are so many dumb devices leaking so much unique info out of the box?

cool!!

[hesaigo999ca]

need to get this to track my gf when she is out of country, so i know when she is getting back....lol