It’s one thing to deliberately share user geolocation data without consent, but what if you’re inadvertently giving it away? Tala CEO Aanand Krishnan says there’s a lot more to 3rd party attacks than ‘just’ skimming.
The Federal Communications Commission is proposing over $200m in fines for wireless carriers who knowingly shared, sold or otherwise mishandled their customers’ location data. Following significant press investigations and reports, public awareness of the risks associated with this kind of breach is growing and we’re now seeing calls from privacy advocates to strengthen legislation, add teeth to existing privacy regulations and even hold CEOs personally responsible for making promises they can’t keep on customer privacy.
Not Just Skimming
If a website wants to access your geolocation, the browser will prompt the user with a pop-up question.
There are two issues with the pop-up. First, this pop-up only shows up the first time the website is trying to access geolocation. If the user clicks ‘Allow Once’, that preference is recorded and the website can now access geolocation data any time in the future.
Secondly, if the user clicks ‘Allow’, it provides the entire website with permission to access the user’s geolocation. So in this case, if the user clicks on the ‘Allow’ button, scripts loaded from the primary domain (in this example it would be scripts loaded from w3cschools.com) as well as scripts loaded on the site from any other third-party domain, can access the user’s location information. In essence, malicious or adware scripts can now use a website’s permission levels to access sensitive user geolocation data.
What Can Website Owners Do?
The good news is that modern web browsers (PC and mobile) provide fine-grained security controls to monitor and block unauthorized access by third-party scripts.
In particular, a new and upcoming feature within browsers called feature-policy allows website owners to specify which domains can access sensitive user information and resources. For example, feature-policy allows a website to block a third-party script from accessing the user’s microphone or camera.
Feature-policy also provides websites with the ability to control access to user geolocation data. Using the feature-policy geolocation directive, a website can control which domains can access location information, including cross-domain iFrames.
For example, with the following policy, the website will only allow its own domain to access the location information. Any other domains trying to access the geolocation information will return an error.
Feature-Policy: geolocation 'self'
If the website wants to allow a second domain, let’s call it trusted-domain.com, to access the location information, it can do so using the following policy:
Feature-Policy: geolocation 'self' https://trusted-domain.com
With new privacy laws in place, website owners should prioritize restricting access to sensitive user data so that their websites don’t become conduits for data breaches or privacy violations. Browser-native controls like Content Security Policy (CSP), Subresource Integrity (SRI) and Feature-Policy are freely available for websites to enforce the right security and privacy policies.
To find out more about the risks specific to your organization, Tala can provide a Website Risk Analysis that will highlight client-side vulnerabilities on your web properties. Tala advocates both understanding risk and enabling standards-based, browser-native controls. We help organizations deploy and dynamically tune these capabilities to ensure continuous client-side security with zero impact on performance. FInd out more or request a demo at www.talasecurity.io.