Using XSS and Google Street view data to determine physical location

While looking for an article or topic to write about today i came upon some articles regarding the black hat convention that was held in Las Vegas last year. A man by the name of Samy Kamkar showed an interesting hack which extracted extremely accurate geo-location information from a Web browser, while not using any IP geo-location data. Before I explain what he did allow me to explain what XSS is. XSS is an abbreviation for cross site scripting. XSS is a security vulnerability found in Web applications that enables attackers to inject script into web pages viewed by other users. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page-content, session cookies, and a variety of other information maintained by the browser on behalf of the user. Now how he does the attack is by first having the victiom visit his malicious web site and then using JavaScript and AJAX to acquire the routers MAC address. He was about to do this because when the user visited the site the JavaScript did a scan for the type of router and its MAC address. With this info he was able to use Google Street View to determine the location of the router within 30 feet of where it actually is. This isn’t Kamkars only hack. he also was the creater of an XSS worm that hit myspace a while back. In the video im posting below he does a demonstration of the hack.

Advertisements