Slashdot Mirror

← Back to Stories (view on slashdot.org)

Geolocation XSS Tracker Proof of Concept

Posted by CmdrTaco on from the oh-thats-fine-i'm-sure dept.

Jamie found a bit of a scary link this morning that demonstrates a router XSS getting your MAC address and using it to map your current location. Which I'm sure is totally no big deal for anyone.

6 of 102 comments (clear)

  1. Re:Or, maybe it doesn't by TooMuchToDo · · Score: 4, Informative

    Mine was dead on, with the blue dot indicator actually on top of my townhouse (out of 5). Clearly, YMMV.

  2. The Cross-site Scripting (XSS) FAQ by mrkitty · · Score: 4, Informative

    The XSS FAQ
    http://www.cgisecurity.com/xss-faq.html

    --
    Believe me, if I started murdering people, there would be none of you left.
  3. NoScript addon protects you from this by plastick · · Score: 3, Informative

    NoScript will protect you from this (XSS) - even if you have it set to globally allow javascript.

  4. Fail for my MAC by AliasMarlowe · · Score: 4, Informative

    Well, I entered my router's MAC just for giggles, and it said "Sorry, didn't find anything". This router has been continuously connected with a fixed public IP address for over a year.
    Then I entered my previous router's MAC, and got the same result. The previous router is in storage in the attic, but was in use with very few brief breaks for about 6 years. Also with a fixed public IP address.
    Clearly, their MAC geolocation database has a teeny hole - or more likely loads of vast gaping chasms.

    --
    Those who can make you believe absurdities can make you commit atrocities. - Voltaire
    1. Re:Fail for my MAC by gad_zuki! · · Score: 3, Informative

      Hmm, just guessing, but are you checking your wifi interface MAC and not your wired interface wifi? Also, hows the reception outside your home? If the streetview car can't see your SSID's then its not going to get that MAC. I'm not certain if google's sniffer was able to sniff pre-encrypted headers with the MAC if SSID broadcast is disabled.

  5. Re:Not found by Anonymous Coward · · Score: 4, Informative

    Short answer: It's easier, and more secure.

    If you don't broadcast your SSID, your laptop or other devices will keep polling for it when its not around, thus you're essentially broadcasting your SSID wherever you go.

    http://www.howtogeek.com/howto/28653/debunking-myths-is-hiding-your-wireless-ssid-really-more-secure/ is a good read.

    On a sort of unrelated note, I was slightly disappointed that even when I hand-fed this script my mac address it still didnt have my location. Then I remembered I changed my mac address to try to fix some problems with comcast, and google had my old one. I wonder if theres anything to be gained by spoofing your mac address as one from another location, possibly to circumvent some geolocked content?