Thursday hacking adventures: XXXSS and Creepy Geolocation
Is it possible to geolocate someone without their permission? I enjoy not having a 7th period so I can sit in front of my computer and reinforce my perpetual virginity by answering these kinds of questions.
A couple years back, Samy Kamkar’s gave an excellent talk at DEFCON 18 about using triple-XSS to trick a user into hacking into their own router, and then using the acquired router BSSID to fetch its location via Google Map’s Geolocation API (thanks, street view!).
He didn’t release his code, but lots of people put together a bunch of scripts to achieve bssid-based geolocation. Unfortunately those scripts no longer work as Google and Skyhook have updated their APIs to use different GET requests.
At least geolocation still works legitimately in Firefox…
Thankfully, Firefox makes their low-level HTTPS processing code available. Which means we can tamper with it!
We see that the decrypted GET request is formatted like this:
Evidently, the API works by scanning the network for other MAC addresses.
The request returns a JSON object.
Plugging these coordinates into Google Maps, we see some pretty scary shit indeed.
I did some tinkering with the URL, and it turns out that we don’t need too much information about the router SSID or signal strength, but we need to have at least one other MAC address before we can get a good location (providing just 1 MAC gives us a terrible estimate, about as good as regular IP address geolocation). Here is a much more concise request that gives pretty much the same result:
I suspect the order of MAC addresses provided matters in terms of how Google determines the precise location. If so, we can use our home as a midpoint and assume that the map API provides us the midpoint between the actual location of my house to the location of the network. Measurement can probably be improved by scaling according to accuracy value or using some combinatorial reverse-intersection algorithm.
So I guess the problem now is getting the user to send us their own BSSID, along with the BSSID of a nearby router. Typically people don’t bother changing the password to their router admin panel (after all, it is unlikely that we will get physical access to the device or crack the WEP/WPA code - well, WPA at least).
Scan for router access panel:
Log in to the router:
Now that we’ve iframed’ the router access panel, we can just run a script to fetch the MAC address.
If we were in the proximity, perhaps we could build up a cache of some sort of all the different locations. I suspect that Google could theoretically only require 1 address by fetching locations from a big cache of theirs (people usually don’t move their routers around a lot) but I suppose it’s for security reasons to thwart this kind of thing.
BUT WAIT A SECOND! What if we didn’t use Google, and instead simply queried a wardriving database with the single MAC address we fetch from the user? We could fetch additional MAC addresses from there, and still call the Google Geolocation API to fetch a more accurate result.
Ta-da! We have found the location of the person who clicked the link, down to the nearest 30 ft.
This shit is so cray.