Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Security IT

Geolocation XSS Tracker Proof of Concept 102

Jamie found a bit of a scary link this morning that demonstrates a router XSS getting your MAC address and using it to map your current location. Which I'm sure is totally no big deal for anyone.
This discussion has been archived. No new comments can be posted.

Geolocation XSS Tracker Proof of Concept

Comments Filter:
  • Geoduping (Score:5, Funny)

    by __aagctu1952 ( 768423 ) on Monday October 04, 2010 @12:30PM (#33785120)

    Even worse, with some clever XSS you can make Slashdot post the same story twice []!
    Oh wait, that's just shitty editing. Sorry.

    • Yeah, that's why they put it in the dupe section: []

      • Fail for my MAC (Score:5, Informative)

        by AliasMarlowe ( 1042386 ) on Monday October 04, 2010 @01:49PM (#33786048) Journal
        Well, I entered my router's MAC just for giggles, and it said "Sorry, didn't find anything". This router has been continuously connected with a fixed public IP address for over a year.
        Then I entered my previous router's MAC, and got the same result. The previous router is in storage in the attic, but was in use with very few brief breaks for about 6 years. Also with a fixed public IP address.
        Clearly, their MAC geolocation database has a teeny hole - or more likely loads of vast gaping chasms.
        • You didn't state if your routers have WiFi. That's pretty much what is necessary for this trick to work. My recently bought and implemented WAP does indeed have a geolocation (heck, I uploaded it to Wigle myself), but my nearly 8 year old DSL-only router doesn't, no surprise.
          • You didn't state if your routers have WiFi.

            My oversight.
            New/old routers have WiFi which is/was enabled, albeit with MAC filtering and WPA2 (the old one had WPA). The Google Streetview camera car has been through the area last year, so they should have harvested the router's MAC address. Hell, one of our cars is fairly distinctive and appears to be in one of the online images on Streetview.

            • Re:Fail for my MAC (Score:4, Informative)

              by gad_zuki! ( 70830 ) on Monday October 04, 2010 @05:12PM (#33788346)

              Hmm, just guessing, but are you checking your wifi interface MAC and not your wired interface wifi? Also, hows the reception outside your home? If the streetview car can't see your SSID's then its not going to get that MAC. I'm not certain if google's sniffer was able to sniff pre-encrypted headers with the MAC if SSID broadcast is disabled.

        • Pretty much everywhere that has Google Streetview I'd guess ...

          It seems to default back to IP geolocation (despite claims that it doesn't), as it got the correct country and city, but at least 30km out on the position for my router / static IP address.

          If your routers MAC hasn't been scanned, how could they possibly match it in a DB ? This is no more "scary" than the fact they scanned places in the first place, and now are happy to release that info to anyone who queries it.

  • Or, maybe it doesn't (Score:5, Interesting)

    by loftwyr ( 36717 ) on Monday October 04, 2010 @12:38PM (#33785222)

    Apparently my router is currently sitting in the former main office of the major telco for my area. Which is across town from me.

    And here I was thinking it was on my desk.

    So, fail

    • Heh, mine says it's across the country. My home one says I'm in Hawaii...when I'm much closer to Hawaii's 9th island.
    • by TooMuchToDo ( 882796 ) on Monday October 04, 2010 @01:10PM (#33785602)

      Mine was dead on, with the blue dot indicator actually on top of my townhouse (out of 5). Clearly, YMMV.

      • I think, perhaps, that you may be the exception instead of the rule. I checked my router's MAC address and the response was a town northwest of Seattle (I live in southeast Wisconsin). Chances are that many of the results will be the router's origin: the manufacturing site.
      • Yup - same here. I live in a relatively rural area and the location was exact. Like posters above said - matters not about encryption as the MAC address is sent clear (all my APs are WPA2 only)
      • by dnrck ( 973325 )
        Mine was within my block but not quite dead...still worrying.
    • Not sure what it is supposed to do but the map at the bottom of the page indicates some location somewhere in the US.

      I'm at least 16 hours flight away (that's the shortest flight from here to north-west US; to get to the south-east it's more like 20 hours).

      Appears like a total fail. And I can't be bothered to try and find the MAC address of my wifi router to enter it in that site. I just used the Firefox location thing.

      Total fail for me too. Many times I've been located (by IP address) to at least the co

    • My MAC is in Scottsdale AZ USA, but I am 11 hours away, almost exactly on the other side of the earth. Oh well, what the hell.
  • No location given when I entered my MAC on the test site. Pah.
  • I'm in southern Indiana. It says I'm in Chicago.

    So close...

  • I'm in Moscow, but my coordinates seem to be
    "country":"United States"
    "county":"Los Angeles"
    "city":"Los Angeles"
    "street":"N Formosa Ave"

    • Re: (Score:3, Funny)

      by idontgno ( 624372 )

      In Soviet Los Angeles...

      Nope. That's it, that's all I've got. Damn. Seemed so promising.

    • I get the exact same location. Accessing this site from Hong Kong.

      • Re: (Score:3, Informative)

        by wvmarle ( 1070040 )

        To follow up on my own post:

        I just tried the example MAC that is given on the web site, and that one failed as well. Also that same location in Los Angeles, USA.

        Not sure what's going on here but as proof of concept it seems to fail pretty miserably for me. Oh and that's with the latest Firefox (v.3.6.10) available on Ubuntu 10.04.

    • Re: (Score:3, Informative)

      by Ksevio ( 865461 )

      That's the default for the page - you have to click one of the links on the page to change things.

      In Firefox/Opera, click the link in "If you're on Firefox, you can test the Location Services by clicking here. " and the map will change.

  • It has no data on my MAC, but here I am posting away. I wonder what sort of app I'm using to post without a computer.

  • Dead beef (Score:4, Funny)

    by Abstrackt ( 609015 ) on Monday October 04, 2010 @12:56PM (#33785444)
    Apparently 00-de-ad-be-ef-00 is in downtown Toronto.
  • by mrkitty ( 584915 ) on Monday October 04, 2010 @01:12PM (#33785632) Homepage
    The XSS FAQ []
  • by plastick ( 1607981 ) on Monday October 04, 2010 @01:14PM (#33785654)
    NoScript will protect you from this (XSS) - even if you have it set to globally allow javascript.
  • Not found (Score:3, Informative)

    by iONiUM ( 530420 ) on Monday October 04, 2010 @01:18PM (#33785694) Journal

    Mine says not found. Probably because I don't have broadcast SSID on my wireless, judging by the procedure he's using (google locator). If this is the case, why does anyone broadcast their SSID to begin with? I never really understood that. There's no benefit for home users, since chances are 99% of the devices you use on a daily basis are not new, and so you only have to take the extra 5 seconds to manually enter the SSID once.

    • Re:Not found (Score:4, Informative)

      by Anonymous Coward on Monday October 04, 2010 @02:00PM (#33786176)

      Short answer: It's easier, and more secure.

      If you don't broadcast your SSID, your laptop or other devices will keep polling for it when its not around, thus you're essentially broadcasting your SSID wherever you go. is a good read.

      On a sort of unrelated note, I was slightly disappointed that even when I hand-fed this script my mac address it still didnt have my location. Then I remembered I changed my mac address to try to fix some problems with comcast, and google had my old one. I wonder if theres anything to be gained by spoofing your mac address as one from another location, possibly to circumvent some geolocked content?

      • I wonder if theres anything to be gained by spoofing your mac address as one from another location, possibly to circumvent some geolocked content?

        Unlikely. Such things are usually geolocated via IP address, not MAC.
        You could maybe spoof your IP address, or use an appropriate proxy.

    • re: broadcast SSID (Score:3, Interesting)

      by King_TJ ( 85913 )

      I find broadcasting the SSID helps greatly in troubleshooting wireless issues for other people, if nothing else.
      If I get called out to the typical home user's place to help them "fix their problems getting on the Internet", they often don't have any clue what their SSID is set to. All they know is that "It worked ever since the Geeksquad guys came out and set it all up for us!" or what-have-you.

      On more than one occasion, I discovered the reason someone had issues had to do with neighbors buying new Linksys

    • by pongo000 ( 97357 )

      Mine says not found. Probably because I don't have broadcast SSID on my wireless, judging by the procedure he's using (google locator).

      I don't broadcast my SSID, never have. Yet this script located my browser to within about a 500 ft. radius of my address.

  • Typed in the MAC (00-23-97-20-EA-9B) and got this: Sorry, didn't find anything for 00-23-97-20-ea-9b.

    Also tried the other two links.. one just brings up my router page ( which asks for a login & password, and the firefox one (I'm using Chrome) doesn't work either. Well kind of. If I enable location services in Chrome, it will load a map, but it won't place a mark anywhere, and it's centered on a town about a 35 minute drive away.
  • Allowed his page temporarily but still doesn't work.

    Other than google analytics, everything else is permitted.

    no script,
    web of trust
    better privacy

  • The XSS posted works only on a small class of SOHO routers, e.g. Westell UltraLine Series3 Routers.
    If you have anything more sophisticated then a Westell UltraLine Series3 router, you are not affected.
    The XSS uses the factory default router IP to send HTTP requests to your router.
    • So it sounds like my house is immune for many obscure reasons, which is to say, I apparently have been practicing "obscurity in depth" as my security strategy.

      Firstly, for slightly complicated historical reasons, I have my internal home network on 192.168.N.0/24, where N is not zero or one.

      Secondly, my desktop machines are not on the wireless, they're wired to the router, and the wired port has a different MAC than the wireless, invisible to Google.

      Thirdly, I don't broadcast my SSID, which might mean it's n

  • He didn't get my address, but he did my neighbor, Mike's house across the street. Which means anyone trying to rob me will go there, instead. Which means I guess it's perfectly safe for me to leave this on, since I don't much like Mike, anyway.

  • Isn't this just looking at wardriving data that was submitted to various wardriving geolocation databases?

    1) You broadcast your wireless MAC to the universe via wireless.
    2) Dude picks it up on a wardrive scan.
    3) Dude uploads his logs to [] or some other database.
    4) Google gets data from these databases (how?) and puts it into their geolocation database

    I know I've uploaded my own wireless MAC to wigle before, so no help there. Then again, I have an android phone that connects to my wireless ro

  • I have the same router, but apparently the script is broken if you have your internal DHCP server dishing out any other IP range BESIDES 192.168.1.x

    Mine is set to and the script failed on an unprotected browser.

    Could this be another win for non-standard setups... Or would this be easy enough to code around?

  • I cannot count the number of ISPs that I've had to deal with where if you do a reverse-dns lookup of a user's IP address, their MAC address shows up in the DNS name given by the ISP's DNS server. Moreso from this, virtually every wireless router I've worked on to date has the WAN, LAN, and Wifi MAC address in sequential order.

    So, who needs XSS for this? Simply pull a reverse-dns of the IP address, and odds are that the MAC address will be +- 1 or 2 away from the WAN MAC that the ISP just handed over to you

  • Wierd (Score:4, Interesting)

    by ichthus ( 72442 ) on Monday October 04, 2010 @03:40PM (#33787378) Homepage

    I have two Wireless APs -- one of which is only active occasionally for guests. Here's what I got when I entered my MACs:

    Everyday (always on) router: It found my city, but the address was about two miles away.

    Guest router: It pinpointed my father-in-law's address. This is strange, because my router has never been located at his house. But, HE HAS CONNECTED TO MY ROUTER. Interesting.

    I checked the first address again, and this would be a friend's house, who I once connected his laptop to my network when I was fixing it.

    I'm not completely familiar with 802.11, but it would appear that computers that had previously connected to my MAC are regularly pinging this MAC in such a way as to be received by the Google drive-by's and recorded as actual MACs of actual APs. Is there another explanation?

    • It's reassuring to know that there is a 1:1 relationship between devices and mac addresses and that each device in the world that requires a mac address has its own very unique mac and that there is no duplication. Heaven forbid the calamity that should arise if there was any duplication at all.

    • Guest router: It pinpointed my father-in-law's address. This is strange, because my router has never been located at his house. But, HE HAS CONNECTED TO MY ROUTER. Interesting.

      Possible scenario for your guest router:

      - your father has likely given Google the exact location of his laptop, while at his own home. Can be very useful for personalising search results.

      - also because he's done Google searches before so probably he's got a cookie uniquely identifying that laptop, if only for those personalised search results.

      - he connects to your guest router: Google finds that this laptop now has a new MAC address, and uses the previously known location information to link to the new M

  • PDF Presentation (Score:2, Interesting)

    It's worth noting that the presentation titled "Bad Memmories" was presented at the BlackHat conference is very similar to this. PDF available []
  • I am amazed that this actually is tracked by the google van or whatever. It found my old address based on the mac address of my wireless adapter in that particular router. The wan and lan addresses were not found. So it appears that google has a list of many MAC addresses and their locations. Quite scary, and obviously impossible to opt out of.

    I really hope some north american government looks into this. What possible non abusive use could this possibly serve? At least the router i am using allows me to cha

    • Obvious use: personalised search results.

      E.g. you're looking for "take-away pizza" then they can look for the pizza shops closest to your location, without you having to dig through the results manually or having to enter your address yourself.

  • Phew! good thing I use a PC
  • With Apple devices only using wifi/telcos, maps grabbing MACS, apps grabbing gps/MAC/serial numbers. Ads tracking deep in flash/html5 databases.
    Modems/wifi units selling with bar code MACS on the side of the box with online extra warranty forms.
    This is all a lot of internal work to track a few ads to message you about 'free' coffee as you walk past a cafe.
    Is the MAC one of the few stats of value now in any device?
    Why are so many dumb devices leaking so much unique info out of the box?
  • need to get this to track my gf when she is out of country, so i know when she is getting

... though his invention worked superbly -- his theory was a crock of sewage from beginning to end. -- Vernor Vinge, "The Peace War"