[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [FD] Obtaining location using Google maps & JavaScript
From: Reed Black <reed () unsafeword ! org>
Date: 2019-04-20 19:20:51
Message-ID: 3C941E9D-E681-4EE9-B46A-DA54621BCF04 () unsafeword ! org
[Download RAW message or body]
Have you tested this?
The Google Maps page header includes "x-frame-options: SAMEORIGIN" which would prevent iframe \
embedding in every commonly used browser. But even if this control were not in place, browsers \
implement additional controls. Most significantly, if the page to be embedded in an iframe is \
on a remote domain, then the parent page is prevented from inspecting iframe content and \
metadata unless permissions are granted by the embedded page. Most modern browsers also block \
the embedded portion from html5 canvas reads. This means that even OCR of the rendered canvas \
should not work.
> On Apr 18, 2019, at 4:58 AM, Bhavesh Naik via Fulldisclosure <fulldisclosure@seclists.org> \
> wrote:
> HTML5's geolocation feature asks for permissions to obtain users current location & the \
> current IP to location also fails to pinpoint exact location of the user.However, one can use \
> google maps to obtain the location of the user (being said that he is currently logged in \
> with his google account). Using the URL: https://www.google.com/maps/search/current+location/ \
> in an I-frame content and making the visitor access the site would allow you to get the exact \
> location.If the user is using a common account on laptop/desktop and his mobile phone, it is \
> possible to get exact GPS co-ordinates using this technique. All that is required is that \
> site should be able to capture the lat-longs generated by the map APIs using JavaScript. Has \
> anyone worked on something similar before?
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic