Surveillance by Javascript

Interesting post by Landon Fuller.

Meraki provides free wireless access throughout San Francisco, using the network name “Free The Net”. Trying out their service at a coffee shop in my neighborhood, I discovered that Meraki has adopted a location-aware advertising driven model, and are now injecting ads into every page you visit using their network. (Screen shot).

I was surprised that Meraki is adding advertising to my web site (where’s my cut?), but that’s just the beginning. Meraki is sharing your location with every site you visit.

To display their advertising, Meraki adds a small piece of JavaScript to every page:

Included in that URL is your current estimated longitude and latitude. In my case, that’s the street just outside of Cafe Reverie, where I was taking lunch — a fairly accurate reading.

This is a new twist on the cross site scripting problem — because Meraki’s script is injected directly into the site that I’m visiting, a simple piece of javascript, added by the web page’s author, can fish out your current location.

Thanks to Michael for spotting it.