Hacker News new | past | comments | ask | show | jobs | submit login

No, as long as they send precise distance radius info, a person's location can easily be computed with very very small margin of error.

The easiest fix is just to send less precise location radius. The user does not care whether another user is 6 miles or 6.0000000001 miles away from him anyway.




That doesn't seem to fix anything. Suppose you round to miles. Now I just sample the system until I find the "border" where the reported distance changes from 1 to 2 mile, and then I know the distance is exactly 1.5 mile there (or 2 miles if they round down).

Repeat for two more points and you have the same vulnerability.


Rounding should work if you round the coordinates instead of the distance. Then you can at best calculate an approximate location very precisely.


You probably don't even need to go that far. The randomness will be reduced when using multiple locations for trilateration.


that's a good point. if the first guess point (60.000000N, 10.000000W) is a mile away from the wanted point. Then doing binary search on range say [60.001000N, 10.000000W] and [59.999000N, 10.000000W] will most likely to hit a boundary case (leap from 1 to 2 or 1 to 0). If not we then can make the search range a bit larger.


The article states "By proxying iPhone requests...".

I don't see how the attacker can read the JSON payload if SSL is used. Am I missing something?


The attacker "is" the iPhone in this situation. The attacker creates his own requests and has the server talk to him in order to gain location info.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: