Using XSS & Google To Find Physical Location

wiredmikey sends along a brief (and quite poorly written) report from Security Week on Samy Kamkar's talk at Black Hat last week. In the video, which is amusing, he demonstrates how to obtain location information (within 30 feet, in the example he shows) of a user who does no more than visit a malicious website. The technique involves sniffing out the local router, breaking into it to obtain its MAC address, and sending that to Google to extract the router's location from Google's Street View database.

Location is the least of your problems

[AndrewStephens]

What scares me the most is that to get the location they demonstrate a plausible way to access the settings on your router (if you use the default credentials.) If I was evil (or more evil) I wouldn't care about the location, I would just changed the router's DNS settings and redirect all the traffic through a server of my choice.

Re:Location is the least of your problems

[AndrewStephens]

Based on my experience, at least 80% of the home routers in use still have the default credentials unchanged since they were unpacked. That's a lot of the population vulnerable.

Not reliable

[Improv]

Any technology that requires the local router to be easily and mechanically hackable is not a reliable one. The title on this post is thus terribly chosen.

Don't be evil?

[Invisible+Now]

The fundamental question is: Should Google be snooping and publishing MAC locations at all?

Do I have the right to opt out of their system - albeit at the cost of not automatically getting the shortest rout to my nearest pizza place on my iPad without manually entering my address?

What happens when the first battered wife is tracked down and murdered by her husband at a woman's shelter because her hacker smart husband crafts an exploit?

you sent a doc to Wikileaks? we send a Drone!

[kubitus]

bye bye freedome!

so this is the real reason for WLAN sniffing of Google!