home page || follow my twitter || blog || email me || samy kamkar

Mapping a web browser to GPS coordinates via router XSS + Google Location Services without prompting the user

Welcome. Here is a proof of concept on obtaining *accurate* GPS coordinates of a user sitting behind a web browser via router XSS. The router and web browser themselves contain NO geolocation/GPS data. This is also *not* IP based geolocation.

Unfortunately, shortly after my release of this attack (and presentations at Defcon/Blackhat / press), Google has both blocked my tool and altered their system to prevent this from working. It is still exploitable, however I will leave that up to the (motivated) reader.

The method works like this:
1. You visit a malicious web site (why are people so mean?)
2. The web site has a hidden XSS against your router (in this example, I'm using an XSS I discovered in the Verizon FiOS router)
3. The XSS obtains the MAC address of the router via AJAX.
4. The MAC address is then sent to the malicious person. In the test case below, it's sent to me (not that I'm malicious!)
5. I then take the MAC address and send it along to Google Location Services. This is an HTTP-based service where router MAC addresses are mapped to approximate GPS coordinates from other data sources. There are NO special browser requirements, nor does a user need to be prompted. I determined this protocol by using Firefox's Location-Aware Browsing.
6. I grab the coordinates and show it to you in a pretty map below.

If you're on a Verizon FiOS router and logged in, you can test this XSS here. This was tested on a Westell UltraLine Series3 firmware 1.02.00.04.

If you're on Firefox or Chrome, you can test the Location Services by clicking here. While this asks you to share your location, the XSS does NOT prompt the user!

Or, you can simply test the Location by entering a router MAC address:
 

To view other cool stuff, check out my website or follow my twitter.

developed by samy kamkar, 01/04/2010


margin:0;padding:0
html
code
font:15px/22px arial
sans-serif
html
background:#fff;color:#222;padding:15px
body
margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px
* > body
background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px
p
margin:11px 0 22px;overflow:hidden
ins
color:#777;text-decoration:none
a img
border:0
@media screen and (max-width:772px)
body
background:none;margin-top:0;max-width:none;padding-right:0
#logo
background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px
@media only screen and (min-resolution:192dpi)
#logo
background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0
@media only screen and (-webkit-min-device-pixel-ratio:2)
#logo
background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%
#logo
display:inline-block;height:54px;width:150px

404. That’s an error.

The requested URL /loc/json was not found on this server. That’s all we know.