A Hacker uses Google Street View data to stalk its victims.

Aug 04, 2010

If you're surfing the web from a wireless router supplied by some of the biggest device makers, there's a chance Samy Kamkar can identify your geographic location.

That's because WiFi access points made by Westell and others are vulnerable to XSS, or cross-site scripting, attacks that can siphon a device's media access control address with one wayward click of the mouse. Once in possession of the unique identifier, Kamkar can plug it in to Google's Google Location Services and determine where you are.

"It's actually scary how accurate it is," said Kamkar, the author of the Samy Worm, a self-replicating XSS exploit that in 2005 added more than 1 million friends to his MySpace account and in the process knocked the site out of commission. "I've found that with a single MAC address, I've always been spot on with the tests I've done."

Kamkar, who tweeted about the vulnerability Tuesday, has posted a proof-of-concept attack here. For now, it works only on FiOS routers supplied by Verizon, and then only when users are logged in to the device's administrative panel. With a little more work, he said he can make it exploit similar XSS holes in routers made by other manufacturers.

From FireFox's website:
Websites that use location-aware browsing will ask where you are in order to bring you more relevant information, or to save you time while searching. Let’s say you’re looking for a pizza restaurant in your area. A website will be able to ask you to share your location so that simply searching for “pizza” will bring you the answers you need... no further information or extra typing required.

Or, if you’re mapping out directions to get somewhere, the website will know where you’re starting from so all you have to do is tell it where you want to go.

This service is totally optional – Firefox doesn’t share your location without your permission – and is done with the utmost respect for your privacy. And, like all elements of Firefox, it’s being created using open standards to ease adoption by Web developers.

Download the Power point presentation:
http://samy.pl/bh10/

Links:
http://www.theregister.co.uk/2010/08/03/google_street_view_hack/

Politically Incorrect News

Discussion about this post