New Attack Locates Web Users Via XSS, Google Data

[img_assist|nid=2521|title=|desc=|link=none|align=left|width=100|height=100]The security researcher who created the MySpace XSS worm in 2005 has developed a technique that enables an attacker to accurately locate a Web user with GPS coordinates, without using IP-based geolocation.

The security researcher who created the MySpace XSS worm in 2005 has developed a technique that enables an attacker to accurately locate a Web user with GPS coordinates, without using IP-based geolocation.

Samy Kamkar, the author of the infamous Samy worm that spread through MySpace, on Monday published information about a new technique that can be used to exploit a vulnerability in some home Internet routers and, when combined with other information, pinpoint a user’s physical location. The tactic utilizes a combination of cross-site scripting and some freely available tools and information on the Web.

In an example of the attack Kamkar published on his site, the attacker must first get the victim to visit a malicious Web site, which then exploits a cross-site scripting flaw in the victim’s home router. In his example, Kamkar uses a flaw he discovered in a router used by Verizon FiOS customers. A bit of AJAX code then grabs the router’s MAC address and sends it off to the attacker.

The attacker then sends the MAC address through Google Location Service via the Location-Aware Browsing service in Firefox. The result: a set of longitude and latitude coordinates for the victim’s PC.

Kamkar released the Samy worm on MySpace in 2005 and it quickly spread across the site, leaving messages on millions of users’ pages. He later was sentenced to three years’ probation as part of a plea agreement stemming from the incident.

Suggested articles

Discussion

  • Anonymous on

    I'm calling BS here. Did you verify his claims? I tried it a couple times . . . zero results. Also, if you take the time to read the Google Location Services privacy policy, at http://www.google.com/privacy-lsf.html . . .

    "If you allow a website to get your location via this service, we will collect, depending on the capabilities of your device, information about the wifi routers closest to you, cell ids of the cell towers closest to you, and the strength of your wifi or cell signal. We use this information to return an estimated location to the Firefox browser and the Firefox browser sends the estimated location to the requesting website. For each request sent to our service, we also collect IP address, user agent information, and unique identifier of your client. We use this information to distinguish requests, not to identify you."

    So, having the MAC address would actually help about . . . zilch. Unless you're accessing the 'net using a wireless connection, thru an AP who collects the MAC address information of anyone associating, and sends it to Google. Or if your SP shares their DHCP-based IP-assignation logs, again with Google

    Did anyone actually fact-check this story ?

     

  • Dennis Fisher on

    No, he's using this to collect the MAC address of the wireless router that the user is using to access the Web.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.