This message appears when I open up Google Maps in Firefox. But my laptop doesn’t have GPS… How will it know my location? The Learn more link in that screenshot tells us that “By default, Firefox uses Google Location Services”. And, since Google knows too much, it can surely answer “What’s this user’s location?”
What information does Firefox send to Google? And how does Google know my location then?
The Firefox page details what it sends to Google in order to get the user’s location. It sends:
- your computer’s IP address,
- information about the nearby wireless access points, and
- a random client identifier, which is assigned by Google, that expires every 2 weeks.
“Nearby wireless access points” refers to WiFi networks in your area. Google has been collecting data on WiFi networks for years. It stated back in 2010 that it uses Google Street View cars to collect this data on WiFi in our neighborhoods, as well as take photos. They store the WiFi networks they see along with the car’s GPS coordinates at that moment.
So when Firefox asks Google your IP address along with nearby WiFi Networks, Google looks up the coordinates it stored when it last saw that combination of WiFi networks last.
Can we see the data that Firefox Is sending?
Using Developer Tools
I want to see if I can intercept the request that Firefox sends to Google. So I set up a basic webpage on my home server that uses Javascript to request the user’s location from the Geolocation API [1] and display it on a map.
After clicking “Allow” for location tracking, it successfully gets my location within 50 meters. However, the developer console shows no web requests to Google’s API… What gives? Maybe the developer console doesn’t show requests sent by Firefox for geolocation services?
Using an HTTP(s) Proxy
So, I set up mitmproxy to intercept the http(s) requests that Firefox was sending. This is configurable from within Firefox, so we have to trust Firefox to send all of its requests through the proxy.
Still, no requests to Google’s API show up after clicking “Allow” on the location popup. Only requests to my site, map providers, and general Firefox telemetry show up. Does Firefox not respect the http(s) proxy that it’s configured to use? Wouldn’t it break in corporate environments where the app must use the proxy?
Using Wireshark
Next, I run a packet capture to see what my laptop is talking to. DNS traffic tends to be an easy place to start.
Turns out, Firefox is not talking to Google! You can see in the Wireshark screenshot that it’s talking to “location.services.mozilla.com”, aka Mozilla Location Services. Apparently, when the initial “Learn More” link said “By default, Firefox uses Google Location Services”, it left out that “Some Firefox Desktop versions distributed by third-parties, especially Linux distros use MLS by default” [2]. So it’s not Google, but Firefox’s own location service provider.
I would need to intercept the encrypted traffic it’s sending to Mozilla’s location services. Since Firefox isn’t using the HTTPS proxy I configured for these location requests, I believe I would have to set it up on my OS. I do not feel like doing that, nor do I feel like figuring out a VM setup, so the investigation ends here.
Conclusion
I learned a few things writing this and had fun learning how to use some new tools like mitmproxy. I had a general idea of how geolocation works for non-GPS devices, but now I understand more concretely what exactly goes on (though that’s purely from reading rather than testing on my own). I also learned a bit more about how Google has way too much data on us and our world. But at least we get cool maps 🙂
Sources / Further Reading
[1] https://developer.mozilla.org/en-US/docs/Web/API/Geolocation_API
[2] https://wiki.mozilla.org/CloudServices/Location/Software
https://stackoverflow.com/questions/24932199/how-to-change-firefox-location-setting
https://developers.google.com/maps/documentation/geolocation/overview