How HTML 5 Geolocation could be exploited

Posted on 3rd April 2018 - Takes 2 minutes to read

Update: Although geolocation is commonly referenced when discussing HTML 5, it is an API which is maintained in a separate specification and is not actually a new feature of HTML 5.

Identifying the physical location of a computer via HTML 5's geolocation is now incredibly easy and only requires a few lines of JavaScript.

Due to the simplicity of geolocation and its ever growing support in modern browsers, it seems very probable that this could be exploited for malicious purposes. An example scenario of how malware could theoretically track the physical location of infected machine could be as follows.

  1. Malware infects system and becomes memory resident.
  2. Malware adds malicious website URL to a local web browser's HTML 5 geolocation white list.
  3. Malware launches hidden/backgrounded instance of web browser, navigating to malicious website URL.
  4. Malicious website JavaScript utilises HTML 5 geolocation services to track physical location.
  5. Physical location is relayed to server via AJAX or other means.
  6. Steps 4 and 5 can be repeated as part of a loop containing time delay within the malicious website's JavaScript.
  7. Malware can monitor the memory resident state of the browser within the system's process list and restart the hidden/backgrounded web browser instance if required.

In this example, the geolocation is all done via a local hidden user agent (web browser) using web technologies. The web part of the system, by its very nature, multi-platform. However, the initial piece of malware which launches the hidden web browser instance will likely be written in a platform specific manner.

Changing this, or writing multiple versions of the 'browser launcher' malware would effectively generate a form of malware which could track the physical location of users regardless of their operating system.

Do you think this kind of malware is a reasonable threat now or in the near future? What other potential problems exist for devices that can be identified by geolocation technologies?

development web HTML geolocation JavaScript