

Hacker Uses XSS and Google Street View Data to Determine Physical Location - alecco
http://www.securityweek.com/hacker-uses-xss-and-google-streetview-data-determine-physical-location

======
bl4k
Who remembers the Intel processor ID debacle of ~10 years ago?

<http://www.schneier.com/essay-187.html>

There were similar privacy concerns when it was found that Microsoft were able
to generate unique identifying fingerprints of PC's, which they used for
license tracking.

This just proves that the debate then was moot since MAC addresses would
become universal unique identifiers. Now everything from phones, routers,
computers and laptops all have unique IDs.

To make the situation worse and unlike the Intel debate, the growth of WiFi
means that these unique ID's are actually being broadcast for anybody to pick
up and read.

RFID will only make this situation worse. There was so much of a fuss about
the Intel ID's back in 99 that I can only think that people care less about
their privacy today.

------
davidu
Samy is smart. Been friends with him for about 15 years. One of the smartest
hackers I know. Built most of Fonality's backend, too. Also won "Caesars
Challenge" in Vegas when he was like 14 years old.

~~~
andrewbadera
Relevance? Are you the same guy telling people "I went to high school with
that chick" when looking at porn with comment features?

~~~
davidu
We're a small community here on HN. I'm sure others know him too. I don't need
to toot my own horn.

~~~
qq66
Also, davidu didn't mention that he is the kind of person who people might
brag about knowing =)

------
oldgregg
Very clever. What if you used the same attack to modify the router's iptables
and open a port to the outside world. Upload some patched firmware and you now
have the worlds largest botnet.

~~~
cschneid
At the point you can make modifications to the user's local router, it's a
much better malicious hack to just change the DNS of every bank's website to
go to your data capture, man in the middle version.

------
newman314
Firefox about:config

Set geo.enabled to false.

Not clear how to do the equivalent in Chrome yet. What's alarming is, in my
brief search, there does not seem to be an easy way to retroactively go back
and delete permissions formerly/accidentally granted.

Same thing with html5 storage (offtopic but related). There is likewise no way
I know of to browse what exactly is stored in html5 storage via the browser
(preferences or otherwise).

------
Batsu
Not to downplay a rather interesting vulnerability, but why does it matter if
someone figures out where you are?

As much as I love my own real (not internet) privacy, I don't depend on people
not knowing where I am. The success of sites such as Foursquare lead me to
believe a large amount of people feel the same way.

~~~
tlrobinson
Furthermore, if you've got control of the router (and thus DNS server
settings...) the user has much bigger problems:
[http://www.schneier.com/blog/archives/2007/02/driveby_pharmi...](http://www.schneier.com/blog/archives/2007/02/driveby_pharmin.html)

~~~
nkassis
I don't think that he obtained control of the router, the article only states
that he managed to get the router's mac address and the crossed referenced
this with Google's wifi database(I assume). He can't modify the router just
get a routing table from the compute somehow. At least that's what I
understand from this extremely sparse in detail article.

~~~
tlrobinson
He does have control of the router's settings (possibly even the ability to
update the firmware with a malicious replacement?). Most routers let you set
the DNS server addresses to be provided via DHCP. If you control DNS, you
control which addresses domains resolve to. No need to control the routing
table.

SSL helps mitigate the damage to some extent, but only if the site uses SSL.

~~~
nkassis
Wait where does it state he he gained access to router? You can get the mac
address of your router with sending a http request to it. Mine states it on
the homepage. Doesn't mean you can change anything on there. What I'd like to
know is how he manages to send this request, javascript origination policy
should be blocking this.

EDIT: I was referring to the original article, schneier has a point, if the
users has the default password set then yes he can login, but how is that even
possible on most browsers today which prevents you from sending ajax request
to anything but the original server?

EDIT2: Just tried it and got a error from chrome: 400 Bad Request Cross Site
Action detected!

~~~
tlrobinson
You need to watch the video again. Starting at 1:20 he mentions logging in
using the default admin credentials.

He's using an XSS vulnerability in the router admin interface to execute
JavaScript on the router's pages, so he can use JavaScript to do pretty much
anything the user can do.

But even without an XSS exploit you can make cross-domain POSTs using forms,
and GETs using IMG or SCRIPT tags. You just can't get the response, so it's
not suitable for this attack where you need to get the MAC address out.

The "Drive-by Pharming" mentioned in the link I posted used the latter
technique, because all it needs to do is POST some form that tells the router
to update the DNS settings, it doesn't need the response.

He actually mentioned that technique in the video, but sort of glossed over it
(right before "now, this isn't necessary in our geolocation XXXSS attack")

~~~
nkassis
Thanks for the clarifications. I'm now turning off my router's web interface
;p ssh is all that's needed anyway.

------
budwin
Maybe I missed something, but is this really how Firefox's location services
work? By phoning google with the MAC address? I understood google was logging
them, but didn't know they were _using_ them...

~~~
what
The location services are pretty creepy actually. I gave a site access and it
knew my exact address. I will not be giving another site access, until I can
specify that it should only provide my city.

------
joecode
Lesson: Put a password on your router.

~~~
CytokineStorm
Or even better, change the default IP address for the admin login. This attack
relies on a bunch of hidden iframes loading IPs that are common default
addresses of the admin login page.

~~~
nkassis
Let's assume the users is on 192.168.50.0/24 can his attack figure that out?

~~~
woodall
The attack/code he showed cannot, but what you can do it write different
iframes. Here is an example:

a+'.'+b+'.'+c+'.'+d

where a=192 b=168 c=0-255 b=0-255

Of course this could be any private network address range[1]. Next you would
use document.write or .innertext to make these iframes. Personally I wouldn't
stop at the first one. I would log all the frames that loaded into an array
and from there test them further. I would also get the users IP address and
tack on :80, :8080, :21, ect and see what I am presented with- web torrent
frontends, ftp servers, ect.

[1] <http://en.wikipedia.org/wiki/Private_network>

~~~
bnchdrff
This will take forever, and also make the user's browser unresponsive.

for(var c=0;i<255;i++) { for (var d=0;j<255;j++) { document.write('<iframe
height="1" width="1" src="<http://192.168>. + c + '.' + d + '" id="' + i + '.'
+ j + '" name="' + c + '.' + d + '"></iframe>'); } }

<iframe> portscans, wow.

For a massively-deployed hack like Samy's, it makes plenty of sense to just
check the small handful of major-brand wifi routers.

~~~
woodall
I totally agree. You should only be checking for routers that have known
vulnerabilities, but was not the initial question.

