The security researcher who created the MySpace XSS worm in 2005 has developed a technique that enables an attacker to accurately locate a Web user with GPS coordinates, without using IP-based geolocation.
Samy Kamkar, the author of the infamous Samy worm that spread through MySpace, on Monday published information about a new technique that can be used to exploit a vulnerability in some home Internet routers and, when combined with other information, pinpoint a user’s physical location. The tactic utilizes a combination of cross-site scripting and some freely available tools and information on the Web.
In an example of the attack Kamkar published on his site, the attacker must first get the victim to visit a malicious Web site, which then exploits a cross-site scripting flaw in the victim’s home router. In his example, Kamkar uses a flaw he discovered in a router used by Verizon FiOS customers. A bit of AJAX code then grabs the router’s MAC address and sends it off to the attacker.
The attacker then sends the MAC address through Google Location Service via the Location-Aware Browsing service in Firefox. The result: a set of longitude and latitude coordinates for the victim’s PC.
Kamkar released the Samy worm on MySpace in 2005 and it quickly spread across the site, leaving messages on millions of users’ pages. He later was sentenced to three years’ probation as part of a plea agreement stemming from the incident.