Saturday, August 21, 2010

Hacking Your Location With Facebook Places

Facebook recently released a new feature called "Places" which aims to tap into the growing location based services market made popular by other social networks like FourSquare and Gowalla. Facebook Places allows you to "check-in" to a location with your mobile device. You can check-in with the official Facebook application for the iPhone or Android or you can use the Facebook mobile site: You can use if you have a location aware web browser such as Firefox, Opera or Chrome. In this post we will explore what Facebook Places is, how businesses are going to use it, the privacy and security concerns, and how one can fake a location check-in with a few easy steps.

How Does Facebook Places Work?
When you check-in with Facebook Places your location is shown as a status update in your profile feed so your friends can see where you are. You can also "tag" your friends who might be at the same location as you. The key word is “might.” Your friends don’t necessarily have to be physically at the same location as you.

For example, if you were at the Monroeville Zombie Museum with a few of your Zombie loving friends, why not check them in with you? This is what Facebook calls "tagging" your friends. If you haven’t noticed, there is a privacy flaw here in which you can tag your friends if they haven’t disabled or “opted out” of the Places service yet. The friends you tag will still show up as a status update on your profile feed. This could be fun, especially if you allow “Everyone” to view your updates.

Using Geolocation for Business Promotions
It should be no surprise that with the recent popularity of location based services businesses are beginning to use them for advertising and promotions as well as unique ways to generate revenue. This concept isn't new. Businesses have been using FourSquare to promote check-ins and virtual mayorships at businesses including coffee shops, restaurants, and anywhere else with a physical address. Most of these include getting free products, coupons, and other promotional items. For example, if I am the person who checks-in to a location most often in a set period, I might win a free coffee or half off my pizza.

Privacy and Security Concerns
Over the past year, researchers have already been discussing the privacy and security implications of using location based services. For example, you might remember where tweets from Twitter that contained geo-tags were changed to read that the user was "not at home." In a more recent example the website displays maps and location coordinates from the metadata found in photos uploaded and automatically tweeted by services like TwitPic. As the authors of have noted, many people who upload pictures to services like these have no idea that geo-tagging is enabled by default on most mobile devices. The thing to remember is that you have control of your location and what information you share with social networks! If you want to know how to configure your Facebook privacy settings for "Places," check out this article over at ReadWriteWeb. Or better yet, download the updated version of my Facebook Privacy & Security Guide which now includes information on Facebook Places.

Hacking Your Location for Fun and Profit
How can you easily manipulate Facebook Places so we can get free drinks, swag, and other fun items? This is actually quite easy. A researcher recently posted a simple Perl script to automatically check you in to locations on FourSquare. This concept could also be carried over to Facebook Places with a bit more complex code. But what if you don't want to mess with scripting languages or other technical tricks? Here are three quick and easy methods to spoof your location using Facebook Places through your mobile phone or a geo-aware web browser.

The Geolocater Firefox Plugin
Firefox is probably the easiest tool to use when faking your location. To see how this works you can type "about:config" in the URL box and then search on "geo". This pulls up the geolocation configuration in Firefox. The "geo.wifi.uri" setting can be changed to something other than the Google location service. For example, change the "geo.wifi.uri" value to any URL that will generate some JSON with location coordinates. The Geolocater Firefox plugin automates this for you. Simply install the “Geolocater” and search for a location using the search feature to automatically change your location. Get creative! You can go anywhere you want. Amaze your friends!

To test this out with Facebook Places you will need to use the Facebook mobile website: Click on "Places" and Firefox will prompt you to allow Firefox to retrieve your location. Next, find a suitable location to check into like the Alien Research Center and tag some of your friends with you. I’m sure they won’t mind.

FakeLocation iPhone Application and Fake Location for Android
The other easy way to fake your location is to simply use your iPhone or Android mobile device.For the iPhone (jailbroken of course) there is an application available in Cydia called FakeLocation. FakeLocation lets you select any location you want on a map and choose which applications you want to use to fake your location. Simply install it in Cydia, run the app, and choose the apps in which you want to use your fake location coordinates. Next, select where you want to be.

Finally, fire up the official Facebook app, then click on “Places” and you will notice that the FakeLocation app is working with a little notice that your location is being faked.

You can then check-in and tag your friends just like on the website. Android users can use an app called “Fake Location” which from what I can tell has the same functionality as the iPhone app.

Some Caveats
One thing I noticed during my testing is that Facebook does have some checks in place that won’t allow you to check-in at two locations within a large distance. You might get an error that says “The checkin is a significant distance from the user’s previous checkin in too short a timeframe”. I thought this was going to be a problem until I started to test this out a bit further. This check seems to be based on time, not distance. For example, checking into the Monroeville Mall (home of the Zombie Museum) then checking into the Spy Museum in Washington, DC blocked me after about a five minute window. I waited approximately 17 minutes and I was able to check-in at Washington, DC successfully. Actual distance from Monroeville, PA to Washington, DC is approximately 233 miles! A drive is about 4 1/2 hours; I made it in 17 minutes.

What Does All This Mean?
Now that the biggest social network on the block with its 500 million users is ready to play in the location based sandbox, Facebook is strategically poised to take over location based social networks. The problem that businesses, which might want to use location based services for actual business, haven't realized is that it's trivial to "game the system." Businesses have started to "trust" that people would never do anything like fake their location, even though there have been plenty of
extreme examples over the last year or so as well as the ones in this post. Examples like the ones shown here seem fun but the real problem is that location based services trust the location coordinates from the user. Services like these shouldn’t trust location coordinates (or any input data) from a user; how do these services know the data is valid? Perhaps we will see “two-factor” location based check-ins in the future. Unfortunately, this is a tough problem to solve and is a much bigger problem than tagging your friends in strange places.

Looking for more on the latest hacks, exploits, and more? Head to the SecureState website for all of the latest on information security.


Alex Hamerstone said...

Thanks for the great blog Tom. One tip to keep in mind is that on the Droid, make sure you go to Settings->Applications->Developers and select "Allow mock locations" to make sure this works.

ConcernedResident said...

Someone also mentioned that you can fake your location by manipulating the POST request containing location coordinates with a web proxy (like Burp or Paros).