Re: MAC addresses and privacy... from Richard Barnes on 2010-10-04 (public-privacy@w3.org from October to December 2010)

From: Richard Barnes <richard.barnes@gmail.com>
Date: Mon, 4 Oct 2010 14:47:56 -0400
To: David Singer <singer@apple.com>
Cc: public-privacy@w3.org
Message-ID: <AANLkTi=7+UwC=GT=3cVLoVKGw1eE75oiacMGWUCuazts@mail.gmail.com>

Worth noting that this attack doesn't even involve any advanced web APIs.
It's a generic XSS against the web-based interfaces that home gateways
present.  The more general concern is of course the existence of
MAC-to-location databases.

On Oct 4, 2010 2:09 PM, "David Singer" <singer@apple.com> wrote:

I was actually quite disturbed when I entered the mac address of my *laptop*
on this page:

http://www.samy.pl/mapxss/

and it got my location to within one house (i.e. it attributed it to the
house next door).

This means anyone sniffing my mac address when I am traveling will have a
pretty good idea of where I am from.  My iPhone's MAC address did not
trace....

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Monday, 4 October 2010 19:13:15 UTC