University group reveals geo-inference attack threat that uses browser cache to reveal user location

University group reveals geo-inference attack threat that uses browser cache to reveal user location
Geo-inference attacks sniff location-sensitive resources left by the location-oriented sites (e.g., Google, Craigslist, and Google Maps) through timing side channels in the browser cache to infer the victim’s geolocation. Credit: Yaoqi Jia et al.

A team of researchers at the National University of Singapore has published a paper on their university web site outlining what they describe as geo-inference attacks—where hackers can set up a website and then use cache information in a user's browser to reveal their geographical location.

Most Internet users are aware that some websites collect about them—they see ads for products that are related to sites that they have visited, for example. What most people probably do not realize however, is that data stored on a user's computer by a website, such as Google, can be used to reveal information to other web sites.

Most sites, including Google, encrypt information they save on a user computer, but , and the team in Singapore have found a way around this. Here is how it works—when you go to Google, Google notes which country you are in by your IP address and then stores that information in your cache so that the next time you go to Google, your computer will not have to download the logo—it can just pull it off your hard drive, which is a lot faster—that makes the Google site appear to load faster. Leaving that logo on your hard-drive presents an opening for hackers, though, because if they can get you to visit their web site (via spam, clicking on a link on another , etc.) they can get access to your cache. They cannot read the file Google left there, but they can check to see if the logo is there, Google does not bother scrambling its name.

To figure out which country you are in, all they have to do is attempt to read the logo off your drive three times (to determine if its cached)—and thereby infer your country location. They can do this because they know that Google has 191 regional domains, placed strategically around the world to provide optimal download speed for visitors to their site. To figure out a user's country, all they have to do is compare the time it takes to download the Google logo (image load time) against all the 191 possibilities—the one that loads the fastest, because it is cached, reveals the country location. Thus, the hackers can infer country location based on data residing in the cache left by another site.

The researchers report that by using a similar approach, hackers can use information left by sites such as Craigslist, Google Maps, etc. to zero in on city, neighborhood, or even street address. They report also that they tested all of the most popular browsers and found them all vulnerable to the same type of attack and claim that 62 percent of the Alexa top 100 websites in the US, Japan, Australia, the UK and Singapore leak location data.

Explore further

At a glance: What the EU says Google is doing wrong

More information: I Know Where You've Been: Geo-Inference Attacks via the Browser Cache, PDF: … ns/geo_inference.pdf

© 2015 Tech Xplore

Citation: University group reveals geo-inference attack threat that uses browser cache to reveal user location (2015, April 20) retrieved 14 October 2019 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Feedback to editors

User comments

Apr 22, 2015
They know where I am from my IP address, so what?
What if I visit the UK Google site?
Plus my GPS gives away my location!

Apr 22, 2015
Extend this further. Let's say I want to know if you visited web page. All I need to do is try to load an image from that site and I will no if you have recently visited that site.

This is similar in style to the hack that used CSS :visited styling to determine if someone had been to a specific URL.

Apr 22, 2015
They know where I am from my IP address, so what?

Probably useful if you are targetting an attack against a certain country.
...or if you have an exploit for a vulnerability that only works with specific country/language settings.
As Hybridprogrammer points out: methods like this could be used for blackmailing (e.g. if they target public figures they could profile them to find out whether they have visited dicey websites, gay porn, whatever ... )

Of course governments can use this too if such images are strategically, combinatorially altered on each visit. This could enable tracking accross multiple websites and give general profiles on who visited what and when.

Pretty scary stuff...but admittedly rather clever.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more