Skip to Content
Uncategorized

How to Locate a Web User with a Few Clicks

The information collected by many Web companies may not be as secure as users would like.
August 1, 2010

It’s well-known that Google amasses large amounts of data about the people who uses its services. Though the company says it’s careful to anonymize that data, and to safeguard what it collects, a talk given this week at Defcon, an underground hacker conference in Las Vegas, illustrated how information can leak out of Google’s repositories regardless of the company’s intentions.

In a talk titled “How I Met Your Girlfriend,” security researcher Samy Kamkar (best known as the author of a worm that struck MySpace two years ago) described a series of attacks that could be used to find a person’s physical location. The beginning of the talk focused on making contact with the target in order to convince him or her to visit a website of the attacker’s choosing. Once the victim clicks the attacker’s link, Kamkar showed how to manipulate Google into revealing his or her location.

As part of Google’s StreetView effort, the company sends cars to drive through neighborhoods, taking photos and collecting data, including on WiFi networks in an area. The company has come under fire for some of the WiFi-related data it collects, but Kamkar says that hasn’t included much concern over the MAC addresses Google collects–these are identifiers that are unique to devices using a given network.

Through triangulation, Google determines and stores the longitude and latitudes associated with these MAC addresses. This information can then be used to power Web services that make use of a person’s location, including location services built into the Firefox browser. Kamkar says he was able to fool Google into revealing a target’s location information after the target visited his website. He did this by tricking the victims browser into revealing data that then allowed him to impersonate that person when requesting the information from Google.

Leaving aside the technical details of Kamkar’s attack, his narrative underlines a key concern with the personal information that modern Web companies store. Regardless of how a company intends to treat that data, providing it’s accessible in some way it may be possible for an attacker to gain unauthorized access to it.

Keep Reading

Most Popular

A view of clouds illuminated by sunlight
A view of clouds illuminated by sunlight

We can’t afford to stop solar geoengineering research

It is the wrong time to take this strategy for combating climate change off the table.

conceptual illustration showing various women's faces being scanned
conceptual illustration showing various women's faces being scanned

A horrifying new AI app swaps women into porn videos with a click

Deepfake researchers have long feared the day this would arrive.

Death and Jeff Bezos
Death and Jeff Bezos

Meet Altos Labs, Silicon Valley’s latest wild bet on living forever

Funders of a deep-pocketed new "rejuvenation" startup are said to include Jeff Bezos and Yuri Milner.

ai learning to multitask concept
ai learning to multitask concept

Meta’s new learning algorithm can teach AI to multi-task

The single technique for teaching neural networks multiple skills is a step towards general-purpose AI.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.