How to hack Facebook account 4: Geolocation via cross-site scripting

Read: How to hack Facebook account: Facebook profile hacking by PHP session hijacking
Read: How to hack Facebook account 2: using LCG for Facebook profile hacking
Read: How to hack Facebook account 3: applying Cross-Protocol Scripting to attack victim’s network

In the final part of Samy’s talk “How I Met Your Girlfriend”, he determines his target’s location.

We’re gonna be talking about Geolocation via XSS1 (note: Samy wittily calls this technique XXXSS in the context of this particular talk). So how does this work? Anna visits my malicious site, XSS scans the whole local network to figure out what kind of router she is running. This is very simple.

Code snippet for determining the type of router using iframe

Code snippet for determining the type of router using iframe

Here is one example (see image). There is a million ways to do it. Basically, iframes on a bunch of different URLs – they are known router locations on your local network. I can access that, but because her browser is on my site, it’s now her network that’s accessing it. So she is accessing http://192.168… addresses. If any of those addresses work, an onload occurs which says: “Oh, I detected a Belkin router, or I detected a Verizon Fios router”. And now we know what kind of router she is on.

Code used for logging in to router

Code used for logging in to the router

After that we can log in with default credentials. Now one changes their credentials on the router, they’re like “Who’s gonna connect?” Let’s assume you’re running WPA2, and the only way to connect is to know a WPA password or by getting physical access. So who is gonna be able to access those internal IP addresses? Well, I can. So can you. So make sure you change your credentials when you have a router at home that hasn’t HTTP based authentication system. This is not necessary for this attack in many cases, but here is a way to log in to Belkin router – that’s what it is, I believe (see image).

Javascript from Samy's malicious site used for acquiring the router's MAC address

Javascript from Samy's malicious site used for acquiring the router's MAC address

There is actually a nice list of XSS, CSRF3, default passwords for every major router you can find online. So Anna visits the site, we figured out the router type, we log in if we have to – which in many cases we don’t – and then we XSS the router, and we load remote javascript, which you can check out on the image. Alright, so what does the javastript do? The javascript then uses AJAX and connects to another page on the router, and acquires the MAC address of the router.

Alright, well, who cares, it’s a MAC address – like, what’s the big deal? So briefly, what is a MAC address? Basically, every network device on your network has a MAC address – kinda like an IP address – it’s in hardware, you can’t change unless you’re spoofing it, and it’s how everything communicates with each other on your LAN.

So why the MAC address? Why do we want to acquire it? What’s so interesting about it? I’ll take you through the steps. Just Bing it: open you browser, type ‘www.bing.com’ in your URL bar. When the search box comes up, type in ‘Google’ and hit Enter. So why Google? Oh yeah, because they know everything, really. Google Street View car So, some of you may be familiar with the ‘Google Street View’ service.

So what you see on the image is the Street View car. Some of you may have seen it; some of you, well, lot’s of you probably know what it is. It’s the car, it’s the one guy who drives around America taking pictures, drives on every single street. Now, we understand the street view is really cool. You can go onto ‘Google Maps’ and you can see all the different streets, the people flashing the cameras, marriages proposals – all sorts of awesome stuff. What you may have not known is that they are collecting data. Now, recently there’s this big thing about Google collecting unencrypted Wi-Fi data. Well, this has nothing to do with that. And soon they don’t have any of that Wi-Fi data which they’ve already deleted in a lot of places.

They are still collecting other Wi-Fi data. So what are they collecting? Well, as they are driving around, not only are they taking pictures, not only are they mapping GPS coordinates, but they are also looking at just Wi-Fi packets in general: not the data portion – they are looking at the headers.

Now, what’s interesting about the headers? They contain MAC addresses, the hardware MAC address of your router – the same MAC address that we acquired just with the XSS. Alright, so why is that interesting? Well, with Wi-Fi you can detect strength. As they are driving down, they are actually detecting my network at home. They‘re driving on the street and say “Oh, I detected network, it’s about 10 out of a 100 strength wise. It must be close”. Driving a little further, taking the pictures – “Oh, it’s stronger now, it’s 50 out of a 100”. Gets to its maximum, say, 85 out of a 100, and then it start to basically go down. Well, they’ve just triangulated my position.

Not only are they actually going on that street, but they are going on every other street around it, and now they get even more accurate data. They may see it actually goes up to strength 95 on the street parallel to mine. Now they know that I am actually closer to that street than I am to the other one that was at 85 strength. They are literally triangulating your network. It doesn’t matter if you are encrypted, it doesn’t matter if you are using WEP, WPA, WPA2. The packets are flying and the MAC address is in there unencrypted.

So how do we use this to advantage? Well, Firefox has this cool feature that very few people know about, called ‘Location Services’. It’s really cool. What happens is javascript will execute; you can go to a website and javascript will execute. Firefox understands this and says: “Oh, I’d better collect the MAC address of my getaway and send it to Google and find out where I am”. Well, they are smart. They said “You know what, we probably shouldn’t do that by default, even though we’d like to. So what we’re gonna do is we’re gonna ask the user, we’re gonna have a little box come up that says: “Do you wanna share your location with this website?” You can’t take it over with clickjacking, other browsers don’t have support for it yet. I believe the Developer Build of Chrome does.

So how is this interesting? You know, we can’t really access it, they visit our malicious website, but we don’t want them to see that, and they are not gonna click it. Well, Firefox is making an HTTPS connection to Google and asking them for this information. Why don’t we make that connection? I can write a program on the backend, so when you visit my website, I use XSS to acquire your MAC address, and then I send it back to my little program running in the background. It’s not running on your browser anymore.

Geolocation via XSS

Geolocation via XSS

I then connect to Google. I send your MAC address and this post request, and it sends back your location, your coordinates. Now, just to understand how accurate this is: this is an actual router I’ve exploited, and I knew the address beforehand, because Anna was there. So, I went over there, and I did a ‘Google maps’ request. And I said “Take these coordinates and drive me to the location, the address. The image shows how far it was. Driving directions – 30 feet. Router was 30 feet away. Seriously, that’s what it said – 30 feet. That’s how accurate the coordinates are. It’s on that router that I was exploiting.

I think Mark Zuckerberg said it best: “Privacy is dead”. Thank you!


1XSS (Cross-site scripting) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users.

2WPA (Wi-Fi Protected Access) is a security protocol and security certification program developed by the Wi-Fi Alliance to secure wireless computer networks.

3CSRF (Cross-site request forgery) is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser.

Like This Article? Let Others Know!
Related Articles:

Comments are closed.

Comment via Facebook: