XSS and geolocation fun

I’m slowly getting time to digest  the goodies that came out of the recent BlackHat 2010 event.

There were a number of really interesting topics covered by awesome people like Jeremiah Grossman, Robert (RSNAKE) Hansen and of course the Hoff!

One of these was Sammy K – of MySpace worm fame –  who did a presentation called “How I met your Girlfriend” demonstrating a XSS exploit to work out where someone actually is using Google’s Location services.

If you don’t know what XSS (Cross Site Scripting) is:

From Wikipedia: Cross-site scripting holes are web application vulnerabilities that allow attackers to bypass client-side security mechanisms normally imposed on web content by modern browsers. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. Cross-site scripting attacks are therefore a special case of code injection.

The exploit is fairly simple. It runs an AJAX script, using an XSS exploit, to obtain the router’s MAC address and then funnels it off to Google’s Location service and gets back a set of coordinates. Once you have these you can see exactly where said person is.

He has a pretty decent, overview that is available on his site here, with functioning proof of concept code available here.

Whilst the exploit was only “tested” on a Verizon FiOS router, other routers susceptible to XSS attacks, like D-Link, Linksys, Belkin and of course CISCO, could also be exploited with a modified version.

Now if only this could be used for good and not evil. The number of times that some of my bigger customers had moved whole sites and not told people is verging on silly.

Other Links & Sources:
Sammy’s site: http://sammy.pl
XSS Cheatsheet: http://ha.ckers.org/xss.html
Definition of XSS: http://en.wikipedia.org/wiki/Cross-site_scripting