Many of the world’s most popular websites and browsers are leaking your location, right down to your country, city, neighborhood, and home address, according to new research from the National University of Singapore.
A “geo-inference attack” allows virtually anyone with a website—even if they don’t have your permission—to narrow down a person’s country, city, and neighborhood by measuring the timing of browser cache queries related to increasingly ubiquitous geo-location services like Google and Craigslist.
The leakage is widespread in the U.S., Australia, Japan, Singapore, and the U.K., affecting an average of 62 percent those countries’ respective Alexa top 100 websites, according to researcher Yaoqi Jia. It affects Chrome, Firefox, Internet Explorer, Opera, and Safari, he said.
This is a “new attack” with a “big impact,” Yaoqi told the Daily Dot. “It’s the first to utilize timing channels in browsers to infer a user’s geo-location.”
“No existing defenses are efficient to defeat such attacks,” Yaoqi asserted.
Even Tor, the anonymizing network dedicated to protecting the user’s anonymity and location, does not protect perfectly against this attack. However, “it deploys good protection features,” Yaoqi said, and is likely the best browser defense one has against geo-inference attacks.
The vulnerability stems from the fact that some of the world’s most popular websites are “location-oriented,” meaning they’re necessarily aware of visitors’ location information. Craigslist sites let users narrow their search by city or even neighborhood. Google directs users to a country-specific page—Google.com is just for the U.S., for example; Canadians get Google.ca. And then there are services like Google Maps, which caters to exact addresses and remembers specifically where almost all of its users live.
The problem comes when the location information known by sites like Google and Craigslist leaks and becomes available to third parties that have no permission to know where you live.
All browsers use memory cache in order to quickly load frequently used websites. Files you’ll see again and again are saved to your computer, saving the time it would take to repeatedly download them.
But that deeply entrenched practice isn’t necessarily secure. An attacker can measure exactly how long it takes to load these resources and, with that information, narrow down your location—potentially down to your exact address.
To do that, an attacker needs to set up a website containing scripts that probe caches in browsers. By measuring image load time, an attacker can see that the local cached image loads more than 100 times more quickly than any other. So with a few lines of code, your country is exposed.
To find your city, the attacker uses the same idea with websites like Craigslist. By measuring the load time of Craigslist’s 712 city-specific websites, it’s a quick bit of code and arithmetic to narrow down location even further.
Locating your neighborhood is as easy as taking these same kind of tricks and using them against Google Maps and other map services. An attacker will measure how fast a user loads specific cached map tiles and once again narrow down location to within a few blocks.
Browsing in incognito mode is only a half-fix. While resources aren’t cached after the incognito session is over, they are cached during the session, so a user remains vulnerable. And virtual private networks, which obscure a person’s IP address and location, still don’t affect browser caches.
Tor protects against the attack by leaving less cached resources and better sorting of what is cached that in some cases disallows attackers from checking cache from another domain. The browser is still susceptible in some less frequent ways, though. The latest testing by researchers showed Tor Browser version 188.8.131.52 is definitely susceptible, and judging from comments from Tor developers, it appears the problem is at least receiving significant attention if it hasn’t been fixed already.
Yaoqi has two suggestions for users looking to protect their information: “Never give additional permissions to unfamiliar sites or open it for a long time” and “clear [your] cache after visiting a site with your credentials, e.g. online banking sites.”
That’s a tough ask for the vast majority of Internet users who—let’s face it—almost never clear their cache.
Read the full research paper below:
Photo via heiwa4126 (CC BY 2.0)