http://www.theregister.co.uk/2010/01/05/geo_location_stealing_hack/ By Dan Goodin in San Francisco The Register 5th January 2010 If you're surfing the web from a wireless router supplied by some of the biggest device makers, there's a chance Samy Kamkar can identify your geographic location. That's because WiFi access points made by Westell and others are vulnerable to XSS, or cross-site scripting, attacks that can siphon a device's media access control address with one wayward click of the mouse. Once in possession of the unique identifier, Kamkar can plug it in to Google's Google Location Services and determine where you are. "It's actually scary how accurate it is," said Kamkar, the author of the Samy Worm, a self-replicating XSS exploit that in 2005 added more than 1 million friends to his MySpace account and in the process knocked the site out of commission. "I've found that with a single MAC address, I've always been spot on with the tests I've done." Kamkar, who tweeted about the vulnerability Tuesday, has posted a proof-of-concept attack here. For now, it works only on FiOS routers supplied by Verizon, and then only when users are logged in to the device's administrative panel. With a little more work, he said he can make it exploit similar XSS holes in routers made by other manufacturers. [...] ________________________________________ Did a friend send you this? From now on, be the first to find out! Subscribe to InfoSec News http://www.infosecnews.orgReceived on Wed Jan 06 2010 - 01:04:01 PST
This archive was generated by hypermail 2.2.0 : Wed Jan 06 2010 - 01:17:42 PST