New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Google geolocation API requests without user notification #361

Closed
timur-davletshin opened this Issue Oct 25, 2016 · 20 comments

Comments

Projects
None yet
5 participants
@timur-davletshin

timur-davletshin commented Oct 25, 2016

Hello everybody!

Every time I open app.wire.com in Firefox I see Google geolocation API requests being made with my exact (!) location (Latitude/Longitude) to determine my location (displayed in Settings). JSON response from Google contains my exact address.

Since I don't remember that I was giving app.wire.com right to determine my location via browser Geolocation API there is only one source of such information - only my IP address.

I believe this is serious flaw for security oriented messenger. Google is the last thing I want to see in Wire network communications.

P.S. Just double-checked via TOR. Yep, IP is the source for latitude/longitude and THERE IS NO WARNING about geolocation requests.

untitled

@IpsmLorem

This comment has been minimized.

Show comment
Hide comment
@IpsmLorem

IpsmLorem Oct 25, 2016

I confirm the serious flaw:
https://maps.googleapis.com/maps/api/geocode/json?latlng=x.y,x.y&key=AIzaSyCKxxKw5JBZ5zE
is requested with the web version. (I suppose the Desktop one is the same)

Furthermore, the https://web.localytics.com/v3/localytics.min.js is requested too.
As a rule of thumb, only https://*.wire.com must be accessed.

IpsmLorem commented Oct 25, 2016

I confirm the serious flaw:
https://maps.googleapis.com/maps/api/geocode/json?latlng=x.y,x.y&key=AIzaSyCKxxKw5JBZ5zE
is requested with the web version. (I suppose the Desktop one is the same)

Furthermore, the https://web.localytics.com/v3/localytics.min.js is requested too.
As a rule of thumb, only https://*.wire.com must be accessed.

@timur-davletshin

This comment has been minimized.

Show comment
Hide comment
@timur-davletshin

timur-davletshin Oct 25, 2016

Localytics is requested before login only, I believe, to collect usage data. I see no big flaw here. But geolocation (via IP) without notifications (on server side I believe) is very bad idea. I seems like Wire's server side has got email — IP (and latitude/longitude most likely) pairs in open form.

BTW: This information partially mentioned in Privacy/Security Whitepapers. Nevertheless, seeing client-side Google requests makes me very conspicuous 🤔

timur-davletshin commented Oct 25, 2016

Localytics is requested before login only, I believe, to collect usage data. I see no big flaw here. But geolocation (via IP) without notifications (on server side I believe) is very bad idea. I seems like Wire's server side has got email — IP (and latitude/longitude most likely) pairs in open form.

BTW: This information partially mentioned in Privacy/Security Whitepapers. Nevertheless, seeing client-side Google requests makes me very conspicuous 🤔

@tokariu

This comment has been minimized.

Show comment
Hide comment
@tokariu

tokariu Oct 25, 2016

i agree with you that wire shouldn't have traffic with 3rd party hosts.

Localytics is the telemetry service wire uses. It can be disabled in the options of the client. Then it should be gone (theoretically, haven't tested).
I already pointed out elsewhere that it is a bad idea to have Localytics enabled by default, and not as an opt-in option.

and the other called host, googleapi... could it be browser-dependent and not wire-dependent?
maybe if you use chrome-browser it's part of google chrome to phone home geolocation information, without wire having anything to do with it? (maybe if someone uses microsoft edge it phones geolocation information home to bing/microsoft - just speculation didn't do any testing)

tokariu commented Oct 25, 2016

i agree with you that wire shouldn't have traffic with 3rd party hosts.

Localytics is the telemetry service wire uses. It can be disabled in the options of the client. Then it should be gone (theoretically, haven't tested).
I already pointed out elsewhere that it is a bad idea to have Localytics enabled by default, and not as an opt-in option.

and the other called host, googleapi... could it be browser-dependent and not wire-dependent?
maybe if you use chrome-browser it's part of google chrome to phone home geolocation information, without wire having anything to do with it? (maybe if someone uses microsoft edge it phones geolocation information home to bing/microsoft - just speculation didn't do any testing)

@timur-davletshin

This comment has been minimized.

Show comment
Hide comment
@timur-davletshin

timur-davletshin Oct 25, 2016

It is universally used by Chrome and Firefox. Statistic via Localytics has got nothing todo with crash reports (which can be opted in Settings).

timur-davletshin commented Oct 25, 2016

It is universally used by Chrome and Firefox. Statistic via Localytics has got nothing todo with crash reports (which can be opted in Settings).

@tokariu

This comment has been minimized.

Show comment
Hide comment
@tokariu

tokariu Oct 25, 2016

I can confirm the geolocation requests on firefox. But I guess the source-request is not coming from wire directly (maybe localytics or something else). Would be nice to find out where it comes from.

As far as I know, on the Desktop-Client, you can opt-out of localytics, which means no "usage- AND error-reports" (on desktop-wire there is only one option for both). I read somewhere that, on the wire-Webapp you can't opt-out of this. So that could be the reaon.

ffwire

tokariu commented Oct 25, 2016

I can confirm the geolocation requests on firefox. But I guess the source-request is not coming from wire directly (maybe localytics or something else). Would be nice to find out where it comes from.

As far as I know, on the Desktop-Client, you can opt-out of localytics, which means no "usage- AND error-reports" (on desktop-wire there is only one option for both). I read somewhere that, on the wire-Webapp you can't opt-out of this. So that could be the reaon.

ffwire

@timur-davletshin

This comment has been minimized.

Show comment
Hide comment
@timur-davletshin

timur-davletshin Oct 25, 2016

Source-request (function) is defined in one of JS files received just before request — wire-app.min.js

timur-davletshin commented Oct 25, 2016

Source-request (function) is defined in one of JS files received just before request — wire-app.min.js

@tokariu

This comment has been minimized.

Show comment
Hide comment
@tokariu

tokariu Oct 25, 2016

thx, doesn't matter, just the proxy-isp geo info.
don't have much time now, but I will try to wireshark desktop traffic to see if it's the same then.

tokariu commented Oct 25, 2016

thx, doesn't matter, just the proxy-isp geo info.
don't have much time now, but I will try to wireshark desktop traffic to see if it's the same then.

@timur-davletshin

This comment has been minimized.

Show comment
Hide comment
@timur-davletshin

timur-davletshin Oct 25, 2016

...doesn't matter...

Sure, original image is already in everybody's mailbox 🙂

timur-davletshin commented Oct 25, 2016

...doesn't matter...

Sure, original image is already in everybody's mailbox 🙂

@tokariu

This comment has been minimized.

Show comment
Hide comment
@tokariu

tokariu Oct 25, 2016

yeh everybody can have some fun with my proxyisp geolocation. every website I visit got this information too, so I don't consider this as secret.
lets get back to topic and find out what is causing this requests

tokariu commented Oct 25, 2016

yeh everybody can have some fun with my proxyisp geolocation. every website I visit got this information too, so I don't consider this as secret.
lets get back to topic and find out what is causing this requests

@timur-davletshin

This comment has been minimized.

Show comment
Hide comment
@timur-davletshin

timur-davletshin Oct 25, 2016

JS function in wire-app.min.js does that request. I didn't dig further (morning is coming for me and I didn't get a wink of sleep) but I believe this information is used in Settings to show login location for current device. I'm more concerned about server-side activity since they clearly (correct me) store that information in unencrypted/unhashed form.

timur-davletshin commented Oct 25, 2016

JS function in wire-app.min.js does that request. I didn't dig further (morning is coming for me and I didn't get a wink of sleep) but I believe this information is used in Settings to show login location for current device. I'm more concerned about server-side activity since they clearly (correct me) store that information in unencrypted/unhashed form.

@tokariu

This comment has been minimized.

Show comment
Hide comment
@tokariu

tokariu Oct 25, 2016

from the security whitepaper, it reads:

3.2.2 Metadata
The server collects the following metadata for every newly registered client and
makes it available it to the user:
• Timestamp: The UTC timestamp when the client was registered.
• Location: The geo-location of the IP address used to register the client.
This information is only collected to make notifications about new registrations
more meaningful

Nothing found about whether this information is encrypted or not (will edit if I find)

tokariu commented Oct 25, 2016

from the security whitepaper, it reads:

3.2.2 Metadata
The server collects the following metadata for every newly registered client and
makes it available it to the user:
• Timestamp: The UTC timestamp when the client was registered.
• Location: The geo-location of the IP address used to register the client.
This information is only collected to make notifications about new registrations
more meaningful

Nothing found about whether this information is encrypted or not (will edit if I find)

@timur-davletshin

This comment has been minimized.

Show comment
Hide comment
@timur-davletshin

timur-davletshin Oct 26, 2016

As I already said it is mentioned in whitepaper but still looks like serious flaw to me.

timur-davletshin commented Oct 26, 2016

As I already said it is mentioned in whitepaper but still looks like serious flaw to me.

@IpsmLorem

This comment has been minimized.

Show comment
Hide comment
@IpsmLorem

IpsmLorem Oct 26, 2016

As far I know, the desktop App only contacts:
cap

IpsmLorem commented Oct 26, 2016

As far I know, the desktop App only contacts:
cap

@timur-davletshin

This comment has been minimized.

Show comment
Hide comment
@timur-davletshin

timur-davletshin Oct 26, 2016

Sorry, I'm at work, dig a bit later but how do I get my location in settings? Obviously they make some sort of geoloc. request. Maybe just on server side but it doesn't diminish this fault.

timur-davletshin commented Oct 26, 2016

Sorry, I'm at work, dig a bit later but how do I get my location in settings? Obviously they make some sort of geoloc. request. Maybe just on server side but it doesn't diminish this fault.

@tokariu

This comment has been minimized.

Show comment
Hide comment
@tokariu

tokariu Oct 26, 2016

i did some short network analysis:
1
This is the Desktop Wire-Client starting with an already logged-in account.

2
Thats the Desktop Wire-Client starting and logging in with some already registered user-account.

I didn't test a new account registration with the desktop client. so it could be, as mentioned in the whitepaper, that on registration geolocation information will be requestest and therefor googleapis might show up in the logs.

But so far, if used with registered accounts, no geolocation requests show up when using Desktop Clients (at least client-wise).

PS: Localytics (error- usagedata collection) were disabled on both tests in the test-client

tokariu commented Oct 26, 2016

i did some short network analysis:
1
This is the Desktop Wire-Client starting with an already logged-in account.

2
Thats the Desktop Wire-Client starting and logging in with some already registered user-account.

I didn't test a new account registration with the desktop client. so it could be, as mentioned in the whitepaper, that on registration geolocation information will be requestest and therefor googleapis might show up in the logs.

But so far, if used with registered accounts, no geolocation requests show up when using Desktop Clients (at least client-wise).

PS: Localytics (error- usagedata collection) were disabled on both tests in the test-client

@timur-davletshin

This comment has been minimized.

Show comment
Hide comment
@timur-davletshin

timur-davletshin Oct 26, 2016

ОК, it's clear but web-version sends those requests to Google every time I open it. Let's wait for developers to comment.

timur-davletshin commented Oct 26, 2016

ОК, it's clear but web-version sends those requests to Google every time I open it. Let's wait for developers to comment.

@tokariu

This comment has been minimized.

Show comment
Hide comment
@tokariu

tokariu Oct 26, 2016

It's obviously Localytics which can't be disabled in Wire's Browser-version. I assume it collects geolocation information (by resolving IP geo-data via google) to be sent with usagedata and/or errorreports.

I guess if this telemetry thing would be opt-in instead of opt-out, it wouldn't show up.

what options do we have if thats the case? opt-out of telemetry by default? change Localytics internals to not resolve geolocation information?

tokariu commented Oct 26, 2016

It's obviously Localytics which can't be disabled in Wire's Browser-version. I assume it collects geolocation information (by resolving IP geo-data via google) to be sent with usagedata and/or errorreports.

I guess if this telemetry thing would be opt-in instead of opt-out, it wouldn't show up.

what options do we have if thats the case? opt-out of telemetry by default? change Localytics internals to not resolve geolocation information?

@IpsmLorem

This comment has been minimized.

Show comment
Hide comment
@IpsmLorem

IpsmLorem Oct 26, 2016

Localytics si blocked on my side and the GMap URL still contain the geolocatisation.

IpsmLorem commented Oct 26, 2016

Localytics si blocked on my side and the GMap URL still contain the geolocatisation.

@tokariu

This comment has been minimized.

Show comment
Hide comment
@tokariu

tokariu commented Oct 26, 2016

I guess thats the source of these requests:
https://github.com/wireapp/wire-webapp/tree/dev/app/script/location

@raphaelrobert

This comment has been minimized.

Show comment
Hide comment
@raphaelrobert

raphaelrobert Apr 11, 2017

Member

As described in the whitepapers, Wire shows the location of where clients were registered.
The sole purpose of that location is to assist users in identifying suspicious clients registered with their account, e.g. as a result of account compromise.

Member

raphaelrobert commented Apr 11, 2017

As described in the whitepapers, Wire shows the location of where clients were registered.
The sole purpose of that location is to assist users in identifying suspicious clients registered with their account, e.g. as a result of account compromise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment