Pages

Tuesday, February 15, 2011

Find anyone’s location from their router MAC address (Google Maps API exploit)

These days location based services can tell where you are at any time. Many online services can pretty much tell your location but they don’t generally pinpoint it at the exact GPS co-ordinates. Samy Kamkar has used the undocumented Google Maps API to map a web browser to GPS coordinates via router XSS and Google’s Location based services i.e. using this, one can find the location of any person from their MAC address. The application is called MapXSS.


The router and web browser themselves contain no geolocation/GPS data and is also not IP based Geolocation. This works via Router XSS which obtains the MAC address of the router via AJAX. The MAC address is then sent to the person who is trying to learn your location. The MAC address is then sent to the Google’s Location Based Services which can map the location (approximate GPS co-ordinates) of a user based on his MAC address. The creator of MapXSS says that he determined this protocol by using Firefox’s Location Aware Browsing.

Without Google Maps, this method of knowing one’s location through XSS exploit isn’t possible. Google while collecting data for the Google Street View had also collected data of the wireless networks in the vicinity and the MAC address of those routers. and then mapped them to the GPS co-ordinates. A malicious page you’re visiting might perform an XSS exploit and retrieve the MAC address of your router and then retrieve the GPS co-ordinates corresponding to that MAC address from Google Maps.

This exploit is a really serious thing and it can cause serious crimes as thugs and ruffians can easily know your location.

1 comment: