Your Website Knows Where Your Users Are—But Is It Keeping That Data Secret?

The Federal Communications Commission is proposing over $200m in fines for wireless carriers who knowingly shared, sold or otherwise mishandled their customers’ location data. Significant press investigations and reports have raised public awareness of the risks associated with this kind of breach. We’re now seeing calls from privacy advocates to strengthen legislation, add teeth to existing privacy regulations and even hold CEOs personally responsible for making promises they can’t keep on customer privacy.

One big New York Times investigation referred to “Twelve Million Phones, One Dataset, Zero Privacy,” but many businesses may be unaware that their websites are similarly hackable. Third-party JavaScript is a real problem on the web, and the uncontrolled growth in third-parties can lead to loss of sensitive customer data: credentials, credit card information, etc. Hundreds of websites have fallen victim to these hacks.

The datasets are typically stolen using a "skimming" attack, where a malicious JavaScript captures a copy of user entry into a web form. But that’s not the whole story: there are many ways hackers can exploit JS to access sensitive data, including geolocation.

Besides skimming, there are other means by which JavaScript can access sensitive user data. HTML5 provides APIs that allow scripts to access the geolocation of a mobile or PC user. For example, JavaScript function can leverage the getcurrentPosition( ) method to obtain the user’s geolocation coordinates.

If a website wants to access your geolocation, the browser will prompt the user with a pop-up question.

There are two issues with the pop-up. First, this pop-up only shows up the first time the website is trying to access geolocation. If the user clicks ‘Allow Once,’ that preference is recorded, and the website can now access geolocation data any time in the future.

Secondly, if the user clicks ‘Allow’, it provides the entire website with permission to access the user’s geolocation. So in this case, if the user clicks on the ‘Allow’ button, scripts loaded from the primary domain (in this example it would be scripts loaded from w3cschools.com) as well as scripts loaded on the site from any other third-party domain, can access the user’s location information. In essence, malicious or adware scripts can now use a website’s permission levels to access sensitive user geolocation data.

The good news is that modern web browsers (PC and mobile) provide fine-grained security controls to monitor and block unauthorized access by third-party scripts.

In particular, a new and upcoming feature within browsers called feature-policy allows website owners to specify which domains can access sensitive user information and resources. For example, feature-policy allows a website to block a third-party script from accessing the user’s microphone or camera.

Feature-policy also provides websites with the ability to control access to user geolocation data. Using the feature-policy geolocation directive, a website can control which domains can access location information, including cross-domain iFrames.

For example, with the following policy, the website will only allow its own domain to access the location information. Any other domains trying to access the geolocation information will return an error.

Feature-Policy: geolocation 'self'

If the website wants to allow a second domain, let’s call it trusted-domain.com, to access the location information, it can do so using the following policy:

Feature-Policy: geolocation 'self' https://trusted-domain.com

With new privacy laws in place, website owners should prioritize restricting access to sensitive user data so that their websites don’t become conduits for data breaches or privacy violations. Browser-native controls like Content Security Policy (CSP), Subresource Integrity (SRI) and Feature-Policy are freely available for websites to enforce the right security and privacy policies.