Geolocation XSS Tracker Proof of Concept 102
Jamie found a bit of a scary link this morning that demonstrates a router XSS getting your MAC address and using it to map your current location. Which I'm sure is totally no big deal for anyone.
Re:Or, maybe it doesn't (Score:5, Informative)
Mine was dead on, with the blue dot indicator actually on top of my townhouse (out of 5). Clearly, YMMV.
The Cross-site Scripting (XSS) FAQ (Score:5, Informative)
http://www.cgisecurity.com/xss-faq.html [cgisecurity.com]
NoScript addon protects you from this (Score:3, Informative)
Not found (Score:3, Informative)
Mine says not found. Probably because I don't have broadcast SSID on my wireless, judging by the procedure he's using (google locator). If this is the case, why does anyone broadcast their SSID to begin with? I never really understood that. There's no benefit for home users, since chances are 99% of the devices you use on a daily basis are not new, and so you only have to take the extra 5 seconds to manually enter the SSID once.
Re:wildly off (Score:3, Informative)
To follow up on my own post:
I just tried the example MAC that is given on the web site, and that one failed as well. Also that same location in Los Angeles, USA.
Not sure what's going on here but as proof of concept it seems to fail pretty miserably for me. Oh and that's with the latest Firefox (v.3.6.10) available on Ubuntu 10.04.
Fail for my MAC (Score:5, Informative)
Then I entered my previous router's MAC, and got the same result. The previous router is in storage in the attic, but was in use with very few brief breaks for about 6 years. Also with a fixed public IP address.
Clearly, their MAC geolocation database has a teeny hole - or more likely loads of vast gaping chasms.
Re:Not found (Score:4, Informative)
Short answer: It's easier, and more secure.
If you don't broadcast your SSID, your laptop or other devices will keep polling for it when its not around, thus you're essentially broadcasting your SSID wherever you go.
http://www.howtogeek.com/howto/28653/debunking-myths-is-hiding-your-wireless-ssid-really-more-secure/ is a good read.
On a sort of unrelated note, I was slightly disappointed that even when I hand-fed this script my mac address it still didnt have my location. Then I remembered I changed my mac address to try to fix some problems with comcast, and google had my old one. I wonder if theres anything to be gained by spoofing your mac address as one from another location, possibly to circumvent some geolocked content?
Re:wildly off (Score:3, Informative)
That's the default for the page - you have to click one of the links on the page to change things.
In Firefox/Opera, click the link in "If you're on Firefox, you can test the Location Services by clicking here. " and the map will change.
Re:Fail for my MAC (Score:4, Informative)
Hmm, just guessing, but are you checking your wifi interface MAC and not your wired interface wifi? Also, hows the reception outside your home? If the streetview car can't see your SSID's then its not going to get that MAC. I'm not certain if google's sniffer was able to sniff pre-encrypted headers with the MAC if SSID broadcast is disabled.