Published on March 11th, 2020
Written by Aanand Krishnan, CEO and Founder of Tala Security

Geolocation Privacy

 

It’s one thing to deliberately share user geolocation data without consent, but what if you’re inadvertently giving it away? Tala CEO Aanand Krishnan says there’s a lot more to 3rd party attacks than ‘just’ skimming.

The Federal Communications Commission is proposing over $200m in fines for wireless carriers who knowingly shared, sold or otherwise mishandled their customers’ location data. Following significant press investigations and reports, public awareness of the risks associated with this kind of breach is growing and we’re now seeing calls from privacy advocates to strengthen legislation, add teeth to existing privacy regulations and even hold CEOs personally responsible for making promises they can’t keep on customer privacy.

One big New York Times investigation referred to “Twelve Million Phones, One Dataset, Zero Privacy” but many businesses may be unaware that their websites are similarly hackable. Tala has written extensively about the third-party JavaScript supply-chain problem on the web. In particular, the uncontrolled growth in third-parties can lead to loss of sensitive customer data - credentials, credit card information etc. We have seen hundreds of websites fall victim to these hacks.

The datasets are typically stolen by means of a ‘skimming’ attack where a malicious JavaScript captures a copy of user entry into a web form. But that’s not the whole story: there are many ways hackers can exploit JS to access sensitive data - and many types of data they can steal, including geolocation.

 

Not Just Skimming

Besides skimming, there are other means by which JavaScript can access sensitive user data. HTML5 provides APIs that allow scripts to access the geolocation of a mobile or PC user. For example, JavaScript function can leverage the getcurrentPosition( ) method to obtain the user’s geolocation coordinates.

 

 

If a website wants to access your geolocation, the browser will prompt the user with a pop-up question.

There are two issues with the pop-up. First, this pop-up only shows up the first time the website is trying to access geolocation. If the user clicks ‘Allow Once’, that preference is recorded and the website can now access geolocation data any time in the future.

 

 

Secondly, if the user clicks ‘Allow’, it provides the entire website with permission to access the user’s geolocation. So in this case, if the user clicks on the ‘Allow’ button, scripts loaded from the primary domain (in this example it would be scripts loaded from w3cschools.com) as well as scripts loaded on the site from any other third-party domain, can access the user’s location information. In essence, malicious or adware scripts can now use a website’s permission levels to access sensitive user geolocation data.

 

What Can Website Owners Do?

The good news is that modern web browsers (PC and mobile) provide fine-grained security controls to monitor and block unauthorized access by third-party scripts.

In particular, a new and upcoming feature within browsers called feature-policy allows website owners to specify which domains can access sensitive user information and resources. For example, feature-policy allows a website to block a third-party script from accessing the user’s microphone or camera.

Feature-policy also provides websites with the ability to control access to user geolocation data. Using the feature-policy geolocation directive, a website can control which domains can access location information, including cross-domain iFrames.

For example, with the following policy, the website will only allow its own domain to access the location information. Any other domains trying to access the geolocation information will return an error.

Feature-Policy: geolocation 'self'

If the website wants to allow a second domain, let’s call it trusted-domain.com, to access the location information, it can do so using the following policy:

Feature-Policy: geolocation 'self' https://trusted-domain.com

 

Conclusion

With new privacy laws in place, website owners should prioritize restricting access to sensitive user data so that their websites don’t become conduits for data breaches or privacy violations. Browser-native controls like Content Security Policy (CSP), Subresource Integrity (SRI) and Feature-Policy are freely available for websites to enforce the right security and privacy policies.

To find out more about the risks specific to your organization, Tala can provide a Website Risk Analysis that will highlight client-side vulnerabilities on your web properties. Tala advocates both understanding risk and enabling standards-based, browser-native controls. We help organizations deploy and dynamically tune these capabilities to ensure continuous client-side security with zero impact on performance. FInd out more or request a demo at www.talasecurity.io.

 

 

Aanand Krishnan, CEO and Founder of Tala Security
Author

Aanand Krishnan, CEO and Founder of Tala Security

Aanand Krishnan is the CEO and Founder of Tala Security. Prior to Tala, Aanand was most recently a senior director of product management at Symantec where he built Symantec’s first big data security analytics platform and led key strategy projects that helped establish the company’s vision and strategic focus. Aanand spent several years in investment banking at and mergers and acquisitions at Morgan Stanley and Dolby Labs and acted as an adviser to leading security software, semiconductor and clean tech companies. He started his career building high-speed optical networking products at Agilent Technologies. Aanand holds an MBA from Berkeley where he was a recipient of CJ White Fellowship, a Masters in Photonics and Optoelectronics from UC Santa Barbara where he was a QUEST Fellow and a Bachelors in Electrical Engineering with Honors from BITS, Pilani.

Find Aanand on LinkedIn

 

Sign up for our Newsletter

Hand-picked security content for security professionals.