A new Google Chrome browser extension called Vytal prevents webpages from using programming APIs to find your geographic location leaked, even when using a VPN.
Many people use VPNs to hide their location or connect from another country while browsing the web. People do this for various reasons, such as bypassing censorship, geographic blocks, or simply having additional privacy on the Internet.
While a VPN will hide the IP address of your device and thus your physical location, it is possible to use JavaScript functions to query information directly from a web browser to find a visitor’s general geographic location.
For example, the Intl.DateTimeFormat().resolvedOptions() method can be used to retrieve a website visitor’s timezone and the Date().toLocaleString() can be used to return the visitor’s local time.
Using this information, a website can determine what country, or at least geographic region, a visitor is from and continue blocking content or track general information about the visitor, even if they are using a VPN.
Vytal aims to close the gaps
Last night, the developer ‘z0ccc’ shared the new Vytal Google Chrome extension on Y Combinator’s Hacker News, asking readers to provide feedback on the functionality.
“Vytal can Spoof your timezone, locale, geolocation and user agent. This data can be used to track you or reveal your location,” explained z0ccc in the HN post.
“Most extensions that provide anti-fingerprinting features rely on content scripts to inject script tags into webpages. There are many limitations to script tag injections which you can read about here: https://palant.info/2020/12/10/how-anti-fingerprinting-exten…
“Vytal utilizes the chrome.debugger API to spoof this data. This allows the data to be spoofed in frames, web workers and during the initial loading of a website. It also makes the spoofing completely undetectable.”
To illustrate how JavaScript can be used to reveal a visitor’s location information, z0ccc created the https://vytal.io website that displays the type of information that can be obtained directly from a visitor’s computer, even if they are using a VPN.
For example, when this author connected to a VPN server in London, the Vytal.io site could still retrieve my device’s correct time zone, locale, and time, providing a general location of where I am located.
After installing the extension, you can specify your location from a list of pre-populated places, modify data to match your IP, or add a Custom location.
Users should note that when you select ‘Match IP’ and connect to a new VPN server, you need to click on the ‘Reload’ button to populate the extension with the new spoofed geographic location data.
For example, after connecting to a London VPN server and clicking the reload button, this same page now showed (for the most part) that I was located in the UK.
As you can see from the image above, the extension is not 100% perfect and can leak your correct information during the initial loading of a webpage.
As there is a slight delay between the pages loading and when the debugger starts spoofing the data, a user’s correct info can be retrieved during the initial loading of the webpage.
Still, even with the initial load not showing the spoofed data, the script does a great job hiding location info that can be revealed using JavaScript APIs.
While this extension should work on all Chromium browsers, including Brave Browser, it cannot be ported to Mozilla Firefox as the browser does not support the debugger API.
z0ccc told BleepingComputer that the extension was initially created to prevent their location data from being leaked when using a VPN and prevent another project of theirs, called LocateJS, from detecting location info.
z0ccc plans on adding additional features to the extension to make it easier to use, including an allowed list of websites you commonly visit and should not receive spoofed data.
“Will probably improve the user agent feature so that you can select a user agent based on OS, browser, device etc. Will also add a whitelist feature in the future,” z0ccc shared via email.
For those who wish to try out Vytal, you can install it from the Google Chrome Web Store or download the source from the project’s GitHub page.
Source: www.bleepingcomputer.com