Bitspinner identified a vulnerability in the way we validated the source for geolocation updates, which allowed a malicious website or an attacker who could exploit an XSS vulnerability, to disable our geolocation spoofing feature and thus leak their actual geolocation. This issue has been resolved.
We are grateful to Bitspinner for disclosing this to us responsibly, and for his professionalism throughout the process.
ExpressVPN's browser extensions (both Firefox + Chrome + Edge + others?) have an HTML5 geolocation spoof feature. This feature can be bypassed since the gps.js content script injects an event listener that validates only that event.source == window (source: validation logic).
The vulnerable code will set the hookedObj.fakeGeo property (source) to false which controls spoofing conditional logic code flow at lines 19 and 42 within a JavaScript closure that is injected into every page the user browses: source: extension manifest.json.
Thus, it is possible for an attacker to phish a target using either an attacker owned malicious site (user would have to approve location usage for the browser), or weaponize XSS on a site the victim user has already trusted (.e.g.: maps.google.com) and potentially leak their current physical location.
To execute this, a web page need only execute these commands
setInterval(()=>{
// bypass spoofing by posting a message to update 'hookedObj' in gps.js
let info = {
fakeIt: false,
coords: {
lat: 99.9999,
lon: 99.9999,
}
window.postMessage({ method: 'updateLocation', info: info }, "*")
}
}, 1000)
The ExpressVPN Browser Extension HTML5 spoofing feature gives users a false sense of safety when allowing location settings for webpages. There may be a portion of ExpressVPN users (e.g.: investigative journalists in dangerous countries, politicians, confidential informants, undercover personnel, deployed military personnel etc.) that rely on geolocation spoofing to not give away their location for physical safety reasons - as such, a successful attacker may have enough information to pose an immediate physical threat to the ExpressVPN user and those around them.
In addition, with the combined timestamp + physical location + VPNServer IP data, an advanced threat actor could potentially correlate (with additional data - e.g.: access to ISP data for the local geographic region) the Private IP of the ExpressVPN user.
Note that the physical location feature ranges in accuracy and may or may not be accurate when spoofing is disabled.
ExpressVPN Chrome extension
Other
https://github.com/expressvpn/expressvpn_browser_extension/blob/3d018234c3cab61f34568a81311c84a38f128294/source/scripts/content/gps.js#L130
ExpressVPN's browser extensions (both Firefox + Chrome + Edge + others?) have an HTML5 geolocation spoof feature. This feature can be bypassed since the gps.js content script injects an event listener that validates only that event.source == window (source: validation logic).
The vulnerable code will set the hookedObj.fakeGeo property (source) to false which controls spoofing conditional logic code flow at lines 19 and 42 within a JavaScript closure that is injected into every page the user browses: source: extension manifest.json.
Thus, it is possible for an attacker to phish a target using either an attacker owned malicious site (user would have to approve location usage for the browser), or weaponize XSS on a site the victim user has already trusted (.e.g.: maps.google.com) and potentially leak their current physical location.
To execute this, a web page need only execute these commands
setInterval(()=>{
// bypass spoofing by posting a message to update 'hookedObj' in gps.js
let info = {
fakeIt: false,
coords: {
lat: 99.9999,
lon: 99.9999,
}
window.postMessage({ method: 'updateLocation', info: info }, "*")
}
}, 1000)
The ExpressVPN Browser Extension HTML5 spoofing feature gives users a false sense of safety when allowing location settings for webpages. There may be a portion of ExpressVPN users (e.g.: investigative journalists in dangerous countries, politicians, confidential informants, undercover personnel, deployed military personnel etc.) that rely on geolocation spoofing to not give away their location for physical safety reasons - as such, a successful attacker may have enough information to pose an immediate physical threat to the ExpressVPN user and those around them.
In addition, with the combined timestamp + physical location + VPNServer IP data, an advanced threat actor could potentially correlate (with additional data - e.g.: access to ISP data for the local geographic region) the Private IP of the ExpressVPN user.
Note that the physical location feature ranges in accuracy and may or may not be accurate when spoofing is disabled.
?bypass=1 : https://do6.us/ca20a9ef-0390-438b-b83d-1826595d22ef/ExpressVPNPhysicalLocationLeakPOC?bypass=1Note that the physical location should be more accurate despite the ExpressVPN spoofing setting in the Browser Extension still being enabled. The location should be the same as if you were to disable the HTML5 "Privacy & Security > Spoof your location" feature in the ExpressVPN extension.
Screenshot:
Video POC: unlisted YouTube
Attached is the source for the POC ExpressVPNGetPhysicalLocationLeakPOC.html which can be self hosted for further testing.