601526 - XSS Exploit allows for Geolocation Stealing

Status: RESOLVED INVALID

(Firefox :: Security, defect)

Description

[rtrappman]

User-Agent:       Mozilla/5.0 (Windows NT 6.0; rv:2.0b6) Gecko/20100101 Firefox/4.0b6
Build Identifier: Mozilla/5.0 (Windows NT 6.0; rv:2.0b6) Gecko/20100101 Firefox/4.0b6

The above URL contains a "proof of concept" that explains how users don't have to be prompted for their location. Firefox should be able to detect XSS methods like this and prompt the user.

Reproducible: Always

Comment 1

[Benjamin Smedberg]

The method works like this:<br>
1. You visit a malicious web site (why are people so mean?)<br>
2. The web site has a hidden XSS against your router (in this example, I'm using an <a href="/vzwfios/">XSS I discovered in the Verizon FiOS router</a>)<br>

3. The XSS obtains the MAC address of the router via AJAX.<br>
4. The MAC address is then sent to the malicious person. In the test case below, it's sent to me (not that I'm malicious!)<br>
5. I then take the MAC address and send it along to Google Location Services. This is an HTTP-based service where router MAC addresses are mapped to approximate GPS coordinates from other data sources. <b>There are NO special browser requirements, nor does a user need to be prompted.</b> I determined this protocol by using <a target=_net href="http://www.mozilla.com/en-US/firefox/geolocation/">Firefox's Location-Aware Browsing</a>.<br>
6. I grab the coordinates and show it to you in a pretty map below.<p>

As far as I can tell, this is not a Firefox bug, but a server bug on the router. Is there any reason we shouldn't close this INVALID? Did you report the FIOS router bug to Verizon?

Comment 2

[Brandon Sterne (:bsterne)]

(In reply to comment #1)
> As far as I can tell, this is not a Firefox bug, but a server bug on the
> router. Is there any reason we shouldn't close this INVALID?

Nope.  This is not a Firefox bug.