Tracking user location from IP address using Google API

If you think your geolocation coordinates are safe by only turning off your user location on your phone or your location services on your browser, think again. How? Let us begin with what an IP address is. Those who want no details on how I identified the issue and only tech details on how to do extract this information, please jump to Fun and Profit section at the bottom.

(Edit: I am surprised by the reaction and the interest of many people on this real small article that was a subset of a larger research goal. Initially I had written this article only with a thought of documenting my thought process and if I could get some insights from peers on some further information that I could have a look at. But I am pleased for all the questions I have got and I have edited the article to make it slightly more insightful with more screenshots and deeper explanation. Thank you members from r/privacy and admax88 from r/netsec. Please do not hesitate to comment critically.

Part of research work that was inspired by the work of Brian C and discussions with Smith Gonzalves.

Please note, I already reported this to Google’s Security Team as a privacy issue, but they closed this as a “feature”, so have fun with the feature. I also gave a lightning talk on this at 36C3.

TL;DR

“An IP address (short for Internet Protocol address) is used to identify computers on the Internet. It works like a return address would on a piece of mail. When your computer or device sends a request, like a search on Google, it tags the request with your IP address. You can find an approximate location of the device through its IP address.”

Now it is obvious that a user’s ISP location can easily be identified from their IP address and this is a publicly available feature mainly utilized to identify the end point’s country of origin. IP geolocation is inherently imprecise. Locations are often near the center of the population. Any location provided by a GeoIP database should not be used to identify a particular address or household.

For this article, I am willing to compromise my “approximate location” (edit: that is entirely different from the ISP location are more towards my current geolocation, which is visible from the screenshots below)from a cafeteria because you can anyway get this information. Thanks to google :)

I did a quick lookup on my IP address Geolocation and here is how it looks from various databases

whatismyip.com (removed IP address in decimal, thanks 404lazy)

                                                                               Almost same coordinates

                                                                                                                         ipify.com

Notice the identified latitude and longitude, marking it on google map (below)you can see the distance of this location from my original point of access.

There was another GeoIP location provider that provided slightly different information.

                 

                                                                ipapi

                                                                   ipapi location trace

Setup

Before we look at the various conducted tests on Google API, here is how I setup the environment:

1. Fiber line (dsl and not 3G/ 4G) at a cafeteria
2. Computer 1 that has location services allowed
3. Computer 2 that has location services disallowed

Computer 1: Location Services Enabled

                          

Now let us look at what Google does. We first turn on our GeoLocation (when location services is allowed) on our Browser and write a quick javascript to get geolocation.

         

                                 Location from Location Services Allowed

This “Geo Location” got directly from the browser GeoLocation API can show you how close this is to my original location (Notice, the identified location is still not in the circle).

                     Tracing Location from Location Services on Google Map

Strangely enough, after attempting this a number of times (by trying to change browsers, connecting my mobile phone and accessing google maps with GPS), I got a slightly more accurate result as shown below.

                  

                                 Location with Allowed Location Service

 

                   Tracing Location with Allowed Location Services on Google Maps

But wait. For this I basically had my location services “allowed”. Have I become another fs0c131y that reports these kinds of information. Fortunately not! (Oof! That below the belt attack. #ForTehLulz)

During this, I noticed that when I opened google maps with my “allow location” turned off, it automatically focused on the region where I currently resided.

Computer 2: Location Services Disabled in Incognito mode

                       

I spin up the 2nd computer now with Location services disabled and the browser in incognito mode.

Here is where during a discussion with Smith the idea to look into Google APIs came in handy. Researching further, I came across this interesting API on Google APIs https://developers.google.com/maps/documentation/geolocation/intro

Quick Notes from Geolocation Docs:
a. Either give it Wi-Fi or Cell Tower data or the API returns it’s response based on your IP Address
b. API responds with location and accuracy that mobile client can detect
c. Response: {“latitude”:””, “longitude”:””, “accuracy”:””}

To query this information from GoogleAPI you need to send a post query from your computer. However, the IP address is take directly from the system where the connection has been established and not as a input variable. Hence we build a POC with XMLHttpRequest.

The goal of XMLHTTPRequest is to request GoogleAPI Geolocate with a query from the victim machine and capture the response latitude, longitude and accuracy information. This could then be put on a webpage and anyone visiting this webpage would automatically give me their location coordinates.

Fun and Profit

        

                                Querying GoogleApis with XMLHttpRequest

Interestingly, the accuracy shows 2.1km. However, after placing it on a map, the location showed was a place across the street from where I was sitting!

                 Tracing Location with Location Services Disallowed on Google Map

Obviously now that we got this interesting API giving out user locations, I had to identify the aspects of fun and profit with this API. So I tweeted.

               Flag: Follow me on Twitter. lol; https://shellcoder.000webhostapp.com

And of course we see the different user locations.

    

                                                  Testing server capture

From the data collected I observed the user location accuracy can sometimes be 3km to 561km. This was a huge difference. After confirming with a few friends from India, I hypothesized that mobile internet users seem to be safer with respect to collected accuracy as they have a roaming profile and hence a ever changing location information.

                                              POC for a 3rd party capturing user data

Side note:

Another area that one can explore is exploiting user endpoint script parsing. For example, I embedded the javascript on a HTML and uploaded it on html2pdf.com only to get the server location on my server and BAM!

                 

                                              html2pdf.com

(Location compromising SSRF! However, this is obviously not a security issue. Might have been a privacy issue for the server, which I don’t believe is in this case.)

Conclusion

You can’t fight Google’s influence on your life. If you are not utilizing safeguards like a VPN, you are basically very bold on the current internet. Everyone is collecting your data.

From this article, it is evident that a more accurate location of yours could be identified by a 3rd party. Imagine you have a stalker who locates you to the block where you live.

The closest I have tracked myself to a locations where the accuracy mentioned were down to 700 to 800 meters while the location was about a block away. While testing from other locations, at times the accuracy was mentioned to be 2km but the GeoLocation showed the location of the building next to my location.

Clearly the user would lie within the mentioned accuracy distance and while in my subjective opinion that is a small distance, however understandable in Google’s response that is enough to not consider this as a privacy issue unless pinpoint accuracy is identified.

Here are a few steps that could help for this specific case:

1. Use a Virtual Private Network (Spoofed IP will result in Google to give location information of the spoofed IP address or whatever it stored for it)
2. Feed wrong information to Google (Fake GPS). When I was at 36C3, pre-conference the IP address resolved accurate geolocation with the help of GoogleAPI. This was because individuals around the area basically shared their location coordinates with Google while using the Wi-Fi. As the conference came, there were multiple GPS Spoofed signals broadcast around the area. This resulted in Google API to locate the IP address to the spoofed coordinates rather than the real one.
3. Turn off javascript from untrusted websites. There is a requirement for a webserver to send a XMLHttpRequest form your browser. Specific to my crafted POC, you would require to turn off Javascript to not allow a user to execute this from your browser

Also remember: Your privacy is your responsibility!   

                               :D I currently read this article is so awesome !! Thanks for Tanoy Bose