The OWASP O2 Platform knows your physical location! …and… “phishing for MACs”

Hi SecuriTeam crowd. After much soft-presure from Brian, I’m finally putting my ‘SecuriTeam Blogger Hat’ and hopefully this will be the first of many WebAppSec and O2 Platform related posts.

For my first post I chose the lastest script that I just added to the OWASP O2 Platform (http://o2platform) which is called “Tool – Find Physical Location via MAC Address (using Google’s APIs).h2″ and does exactly that. It will show your current location using your current wireless router’s MAC address (or the location of a provided MAC address)

This is based on the research done by Samy’s on his “How I meet your Girlfriend” presentation (currently on an OWASP EU Tour presenting it) and it is a good example of the O2 Platform’s powerful dynamic scripting environment (I wrote that PoC in a couple hours)

For more details on how this works see

I think that the fact that Google exposes this information is a big deal, and I personally (as a consumer with exposed data) am not happy at all with it. But my personal feelings don’t really matter here, the question I think we should try to answer is: ‘How big is this problem?’

Basically, since MAC addresses are now a valuable asset, let’s go “Phishing for MACs” and figure out all the ways we can calculate/map/find them.

On the O2 script above I used “arp -a” to get the local wireless router, Samy used an XSS on the router, so what other ways there are to find router’s MAC address?

I wonder if we can Brute Force Google’s Location Services database and get a maping of ALL “MAC addresses+Locations” that they have currently stored :)

  • power balance wristband

    Thanks for your share. I like it!

  • wigs

    The base of an Egyptian wig was a fiber-netting skullcap, with strands of human hair, wool, flax, palm fibers, felt, or other materials attached.