ExpressVPN Browser Extension: HTML5 Geolocation Spoof Bypass - Client Physical Location Leak

Disclosed by
Bitspinner
  • Program ExpressVPN
  • Disclosed date 11 months ago
  • Reward $1,250
  • Priority P2 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by ExpressVPN

Bitspinner identified a vulnerability in the way we validated the source for geolocation updates, which allowed a malicious website or an attacker who could exploit an XSS vulnerability, to disable our geolocation spoofing feature and thus leak their actual geolocation. This issue has been resolved.

We are grateful to Bitspinner for disclosing this to us responsibly, and for his professionalism throughout the process.

Summary by Bitspinner

Overview of the Vulnerability

ExpressVPN's browser extensions (both Firefox + Chrome + Edge + others?) have an HTML5 geolocation spoof feature. This feature can be bypassed since the gps.js content script injects an event listener that validates only that event.source == window (source: validation logic).

The vulnerable code will set the hookedObj.fakeGeo property (source) to false which controls spoofing conditional logic code flow at lines 19 and 42 within a JavaScript closure that is injected into every page the user browses: source: extension manifest.json.

Thus, it is possible for an attacker to phish a target using either an attacker owned malicious site (user would have to approve location usage for the browser), or weaponize XSS on a site the victim user has already trusted (.e.g.: maps.google.com) and potentially leak their current physical location.

To execute this, a web page need only execute these commands

setInterval(()=>{
    // bypass spoofing by posting a message to update 'hookedObj' in gps.js
        let info = {
            fakeIt: false,
            coords: {
            lat: 99.9999,
            lon: 99.9999,
        }

        window.postMessage({ method: 'updateLocation', info: info }, "*")
    }

}, 1000)

Business Impact

The ExpressVPN Browser Extension HTML5 spoofing feature gives users a false sense of safety when allowing location settings for webpages. There may be a portion of ExpressVPN users (e.g.: investigative journalists in dangerous countries, politicians, confidential informants, undercover personnel, deployed military personnel etc.) that rely on geolocation spoofing to not give away their location for physical safety reasons - as such, a successful attacker may have enough information to pose an immediate physical threat to the ExpressVPN user and those around them.

In addition, with the combined timestamp + physical location + VPNServer IP data, an advanced threat actor could potentially correlate (with additional data - e.g.: access to ISP data for the local geographic region) the Private IP of the ExpressVPN user.

Note that the physical location feature ranges in accuracy and may or may not be accurate when spoofing is disabled.

Report details
  • Submitted

  • Target Location

    ExpressVPN Chrome extension
  • Target category

    Other

  • VRT

    Sensitive Data Exposure > Disclosure of Secrets
  • Priority

    P2
  • Bug URL
    https://github.com/expressvpn/expressvpn_browser_extension/blob/3d018234c3cab61f34568a81311c84a38f128294/source/scripts/content/gps.js#L130
  • Description

    Disclosure of Secrets

    Overview of the Vulnerability

    ExpressVPN's browser extensions (both Firefox + Chrome + Edge + others?) have an HTML5 geolocation spoof feature. This feature can be bypassed since the gps.js content script injects an event listener that validates only that event.source == window (source: validation logic).

    The vulnerable code will set the hookedObj.fakeGeo property (source) to false which controls spoofing conditional logic code flow at lines 19 and 42 within a JavaScript closure that is injected into every page the user browses: source: extension manifest.json.

    Thus, it is possible for an attacker to phish a target using either an attacker owned malicious site (user would have to approve location usage for the browser), or weaponize XSS on a site the victim user has already trusted (.e.g.: maps.google.com) and potentially leak their current physical location.

    To execute this, a web page need only execute these commands

    setInterval(()=>{
        // bypass spoofing by posting a message to update 'hookedObj' in gps.js
            let info = {
                fakeIt: false,
                coords: {
                lat: 99.9999,
                lon: 99.9999,
            }
    
            window.postMessage({ method: 'updateLocation', info: info }, "*")
        }
    
    }, 1000)
    

    Business Impact

    The ExpressVPN Browser Extension HTML5 spoofing feature gives users a false sense of safety when allowing location settings for webpages. There may be a portion of ExpressVPN users (e.g.: investigative journalists in dangerous countries, politicians, confidential informants, undercover personnel, deployed military personnel etc.) that rely on geolocation spoofing to not give away their location for physical safety reasons - as such, a successful attacker may have enough information to pose an immediate physical threat to the ExpressVPN user and those around them.

    In addition, with the combined timestamp + physical location + VPNServer IP data, an advanced threat actor could potentially correlate (with additional data - e.g.: access to ISP data for the local geographic region) the Private IP of the ExpressVPN user.

    Note that the physical location feature ranges in accuracy and may or may not be accurate when spoofing is disabled.

    Steps to Reproduce

    1. Download + Install + Connect ExpressVPN Extension + enable HTML5 location spoofing
    2. Use a browser to navigate to spoofed location: https://do6.us/ca20a9ef-0390-438b-b83d-1826595d22ef/ExpressVPNPhysicalLocationLeakPOC + allow location services
    3. Add parameter ?bypass=1 : https://do6.us/ca20a9ef-0390-438b-b83d-1826595d22ef/ExpressVPNPhysicalLocationLeakPOC?bypass=1

    Note that the physical location should be more accurate despite the ExpressVPN spoofing setting in the Browser Extension still being enabled. The location should be the same as if you were to disable the HTML5 "Privacy & Security > Spoof your location" feature in the ExpressVPN extension.

    Proof of Concept (PoC)

    Screenshot: html5SpoofBypass.png

    Video POC: unlisted YouTube

    Attached is the source for the POC ExpressVPNGetPhysicalLocationLeakPOC.html which can be self hosted for further testing.

Activity