The OWASP O2 Platform knows your physical location! …and… “phishing for MACs”
Hi SecuriTeam crowd. After much soft-presure from Brian, I’m finally putting my ‘SecuriTeam Blogger Hat’ and hopefully this will be the first of many WebAppSec and O2 Platform related posts.
For my first post I chose the lastest script that I just added to the OWASP O2 Platform (http://o2platform) which is called “Tool – Find Physical Location via MAC Address (using Google’s APIs).h2″ and does exactly that. It will show your current location using your current wireless router’s MAC address (or the location of a provided MAC address)
This is based on the research done by Samy’s on his “How I meet your Girlfriend” presentation (currently on an OWASP EU Tour presenting it) and it is a good example of the O2 Platform’s powerful dynamic scripting environment (I wrote that PoC in a couple hours)
For more details on how this works see
- Tool – Find Physical Location via MAC Address (using Google’s APIs).h2 Wiki page with technical details and ‘How to’ screenshots
- Using a MAC address to find your physical location (via Google Location Services) – Blog Post on my personal Blog (sorry SecuriTeam, I will link back to here next time )
- http://www.youtube.com/watch?v=G_XfZ99ZKCc – mandatory You Tubes video
I think that the fact that Google exposes this information is a big deal, and I personally (as a consumer with exposed data) am not happy at all with it. But my personal feelings don’t really matter here, the question I think we should try to answer is: ‘How big is this problem?’
Basically, since MAC addresses are now a valuable asset, let’s go “Phishing for MACs” and figure out all the ways we can calculate/map/find them.
On the O2 script above I used “arp -a” to get the local wireless router, Samy used an XSS on the router, so what other ways there are to find router’s MAC address?
I wonder if we can Brute Force Google’s Location Services database and get a maping of ALL “MAC addresses+Locations” that they have currently stored