Main

• dystopia.nl.eu.org
• rvdh.nl.eu.org
• Rss

About

• An Fhirinne in aghaidh an tSaoil. - In an ever darkening world, it is our quest for knowledge, information and above all truth.

Last 5

• Firefox Geo Location
• JSFUCK
• XSS Rootservers.
• MSIE Persistent Crash.
• FireFox Stack Overflows.
• Custom Secure Database.

Txt

• Symbol list
• Route Servers
• Opera Airoso
• Browser Recon
• HTML Fuzzer
• VB Fuzzer
• Zero Sum
• Mod Rewrite
• SQLi

Pics

• 419 Bait Throphy I
• 419 Bait Throphy II
• MS Remote RDP

Nodes

• Sla.ckers.org forum
• The Spanner
• Gnucitizen
• Ha.ckers.org
• Lcamtuf
• Suspekt
• Phreedom
• Packetlife
• Securiteam
• Pauldotcom.com
• Portswigger
• Oshuma
• pro.grammatic.org
• Rgaucher
• Wisec
• SirDarckCat
• Kuzza55
• Billy Rios
• .Mario
• I)ruid
• Amrit Williams
• Veracode
• Writequit
• Rootkit.com
• Insanesecurity
• F-secure
• Carnal 0wnage
• blog.phishme.com
• ISC.Sans

Firefox Geo Location

There is a privacy issue in the latest Firefox branch that enables Firefox to interface with Google to obtain all sorts of Geo location data by default. Security deals with reductions of certain risks, that includes in obtaining a certain level of privacy as well. Therefore, there is a good reason why I beef up my SNMP, ARP restrictions. I just don't want anyone else pinging my system trying to De-cloak me, or perform reconnaissance for whatever reason they see fit. If Firefox in it's turn revokes all the restrictions I set and broadcasts my MAC address without prior notice that this is actually happening, I get angry, or at least annoyed by this fact. Secondly, broadcasting it to big daddy Google is another serious concern.

I came across this public function inside the window scope that enables Javascript to query your geo location:

window.navigator.geolocation.getCurrentPosition()

A website that implements a request through Javascript cannot access it by default, the browser needs to ask for your permission. The following script will trigger an request to obtain a geo location:

function Geo(){

	  navigator.geolocation.getCurrentPosition(found, notfound);

}



function found(position){

	  alert(position.latitude + ' - ' + position.longitude);

}



function notfound() {

	  alert('Location unknown');

}



Geo();

But with all things in life, the devil's inside the fine print or details. Upon testing, Firefox asked me if it was okay to share my Geo location with my test website. When that message appeared, I did not know that it was broadcasting my MAC address to Google. it probably is mentioned somewhere in the documentation that nobody reads, but I didn't read it as of yet until I browsed around the source code. Firefox seems to broadcast my MAC address to this Google address:

http://www.google.com/loc/json

The token which Firefox sends after requesting a token from Google in the background is in the form of:

{"version":"1.1.0","access_token":"TOKEN","wifi_towers":[mac_address,ssid,signal_strength]}=

http://mxr.mozilla.org/mozilla-central/source/dom/src/geolocation/NetworkGeolocationProvider.js#323

320         if (accessToken != "")

321             request.access_token = accessToken;

322 

323         if (accessPoints != null) {

324             request.wifi_towers = accessPoints.map(function (ap) ({

325                         mac_address: ap.mac,

326                         ssid: ap.ssid,

327                         signal_strength: ap.signal,

328                     }));

329         }

Luckily, Firefox let's you disable the Geo location functionality:

about:config 

geo.enabled = false

Sponsored by Acunetix.