Tracking user location from IP address using Google API

Tanoy BoseTanoy Bose

May 11 · 5 min read

If you think your geolocation coordinates are safe by only turning of your user location on your phone or your browser, think again. How? Let us begin with what an IP address is. Those who want no details on how I identified the issue and only tech details on how to do extract this information, please jump to The POCsection at the bottom.

Research inspired by work of Brian C and discussions with Smith Gonzalves.Please note, I already reported this to Google’s Security Team as a privacy issue, but they closed this as a “feature”, so have fun with the feature. I also gave a lightning talk on this at 36C3.

TL;DR

“An IP address (short for Internet Protocol address) is used to identify computers on the Internet. It works like a return address would on a piece of mail. When your computer or device sends a request, like a search on Google, it tags the request with your IP address. You can find an approximate location of the device through its IP address.”Now it is obvious that a user’s ISP location can easily be identified from their IP address and this is a publicly available feature mainly utilized to identify the end point’s country of origin.

For this article, I am willing to compromise my “approximate location” from a cafe because you can anyway get this information. Thanks to google :)

I did a quick lookup on my IP address location and here is how it looks

ISP Geolocation Location
Notice the identified latitude and longitude, marking it on google map (below)you can see the distance of this location from my original point of access.
Tracing ISP Geolocation
Location from Location Services Allowed
This “Geo Location” got directly from the browser GeoLocation API can show you how close this is to my original location (Notice, the identified location is still not in the circle)
Tracing Location from Location Services on Google Map

But wait. For this I basically had to turn on my location. Have I become another fs0c131ythat reports these kinds of information. Fortunately not! (Oof! That below the belt attack. #ForTehLulz)

HOWEVER, now I noticed that when I opened google maps with my “allow location” turned off, it automatically focused on the region where I resided. Here is where during a discussion, Smith gave me the idea to look into Google APIs.

So researching further, I came across this interesting API on Google APIs https://developers.google.com/maps/documentation/geolocation/intro

Quick Notes from Geolocation Docs:a. Either give it Wi-Fi or Cell Tower data or the API returns it’s response based on your IP Addressb. API responds with location and accuracy that mobile client can detectc. Response: {“latitude”:””, “longitude”:””, “accuracy”:””}
I actually have no idea how location services got me a more accurate result after several attempts but here is what I did. After allowing google maps once and turning on my “Allow Location” and reloading multiple times on the browser, I noticed the Browser Geolocation output was more accurate (Remember the location initially revealed was not in the circle).
Location with Allowed Location Services
Tracing Location with Allowed Location Services on Google Maps

The POC

This is where you turn off allow location and identify yourself with the Google API and be ready to get amazed. 2.1km Accuracy? Lol. And my fish fry lunch!

Location with Location Services Disallowed
Tracing Location with Location Services Disallowed on Google Map

The Cliche Fun and Profit

Obviously now that we got this interesting API giving out user locations, I had to identify the aspects of fun and profit with this API. So I tweeted.

Flag: Follow me on Twitter. lol

And of course we see the different user locations.

Testing server capture

Observe above, the user location accuracy can also sometimes be 561km, 3km, etc. Only after this test did I really understand how Google was storing your location and providing it to 3rd parties (see Conclusion for my inferences). Mobile internet users, you guys seem to be super safe if people are travelling around with a specific IP address.

html2pdf.com

(Location compromising SSRF! However, this is obviously not a security issue. Might be a privacy issue for the server.)

Le Conclusion

You can’t fight Google’s influence on your life. If you are not utilizing safeguards like a VPN, you are basically very bold on the current internet. Everyone is collecting your data.

What Google does is it stores the coordinates of your IP address if you “Allow Location” on your device or your browser. However, if you are utilizing a ISP with Dynamic IP allocation, be prepared that someone near you might get this IP address and give out their coordinates. Google approximates these location coordinates and provides a precise location coordinate to anyone any uses “Geo Location API”.

Also remember: Your privacy is your responsibility!

Your Privacy Is Your Responsibility

On behalf of Google for the Google haters, I understand that there is a slight distortion of the original location (location approximate value). This is something that Google stands by to consider it not privacy violation. The closest I have tracked myself to a location is 700 to 800 meters and about 1 block away from my home. If you think this is a privacy violation by Google, please let me know.

Similar Articles:

Impact of 5G on Location technology

Impact of 5G on Location technology

How to Stop Google’s Sensorvault From Sharing Your Location With Law Enforcement

How to Stop Google’s Sensorvault From Sharing Your Location With Law Enforcement

Android Q privacy change: User control over app access to device location

Android Q privacy change: User control over app access to device location

Don't (Geo)Fence Me In: Courts Order Google To Give Up Location Data

Don't (Geo)Fence Me In: Courts Order Google To Give Up Location Data