When assessing web applications, we typically look for vulnerabilities such as SQLi and XSS, which are generally a result of poor input validation. However, logical input validation is just as important, and you can get tons of interesting info if it’s not done properly.
Take the plethora of mobile apps that let you find people that are using the same app nearby. Logical validation on the coordinates you send should check that
- The accuracy value from your GPS is within reasonable limits. Coordinates accurate to 40 km are no good to anybody.
- You’re not moving around too fast. People jumping from Pretoria to Cape Town in under 3 seconds should at least raise some eyebrows.
On a recent assessment, I saw that neither of these were checked, which led me to this.
The idea is simple: use the information at hand to home in on someone’s physical location. Basically, you want to verify which direction the guy you’re trying to find is, relative to you, then move in that direction and increase the accuracy of your “gps sensor”. Rinse and repeat enough times, and you’ll end up with a good idea of where your target is.
I do this by first setting the accuracy value of my GPS sensor to a very low value, then waiting for a target with a specific username to show up in the list of people nearby. As soon as that happens, I move in a particular direction by changing my lat/lon settings on my GPS, first north, then-south east, then south-west from the starting point, and checking again whether the target is still in the list of people nearby. If they are, it means that the target is in the direction I last moved relative to where I started.
The POC I ran worked as follows. I set my gps to Brooklyn mall, accurate to 42 km. I put a target at a random intersection about 15 km away. This looked like so:
I then ran 3 requests to determine which direction the target was from the original location. I moved north, south-east and south-west by 21 km (this being half the accuracy):
Using that, I now knew the target was somewhere south-east of where I started, so I moved in that direction, again by 21 km, and halved the accuracy value of the gps. This left me here, with a much better idea of where to find the guy:
Running this in a loop looked like as follows.
The last set of coordinates being here:
Which was 230 meters off.
In conclusion. This technique relies on gps data not being validated logically, and is likely to affect any mobile applications that use gps data to show you a list of people nearby