Ride the Lightning

Marauders Map: A Facebook Messenger Tool for Stalkers

June 11, 2015

Naked Security carried an ominous story about a Chrome browser extension developed by Harvard College computer science student Aran Khanna which allows people to pinpoint and track the location of Facebook Messenger users.

The extension, called Marauders Map after the magical chart from the Harry Potter books that reveals the location of every person within Hogwarts School, works by collecting the location data of Facebook Messenger users and plotting it on a map.

That Facebook has that data at its disposal is probably no surprise to anyone, but the ease with which it can be extracted, and the accuracy with which it can track someone – to within just one meter – may come as a shock.

To prove his own point, Khanna used Marauders Map to track one of his brother's friends for a couple of weeks. Though he doesn't know his brother's friend all that well, they are friends on Facebook, and so Khanna was able to use his target's frequent use of the messaging service to work out his weekly routine. Khanna was also able to determine where his casual acquaintance ended up at night, deducing not only exactly which dorm he slept in, but also which room.

Imagine what a stalker might do with this sort of information. The stalker would have enough data to make predictions about where someone might be when.

Khanna realized that he didn't even need to be Facebook friends to be able to track another user – simply being engaged in the same messaging thread was sufficient.

The root problem here is the fact that the sharing of location data is switched on by default. It is also not clear to users that such data is being shared by Facebook Messenger – you need to click on the sent message to see it – and it is unsurprising that many users have no idea what they are broadcasting to their friends, acquaintances and potential stalkers.

Although Marauders Map can still be added to Chrome, it is unlikely to remain functional, according to the Guardian, which reports that its API key has been revoked by Mapbox, a mapping platform from which the extension was developed. But Khanna, who will be starting an internship at Facebook soon, has made the source code available via Github, meaning it could be picked up and modified by other developers.

What should you do? Disable location sharing on Facebook Messenger – which the story tells you how to do, as follows:

Disabling location tracking on iOS

First, go to Settings, then Privacy and, finally, click on Location Services. Here you will see a list of every installed app that is capable of logging your location.

From this list, find Facebook Messenger and ensure it says 'Never' next to it.

Disabling location tracking on Android

Unfortunately for Android users, Google has not provided the same per-app level of privacy control. Instead, users are (for now at least), at the mercy of app developers and their ability to code in the means to disable location sharing.

As far as Facebook Messenger goes, this means opening the app, clicking on the Settings icon and then finding the "New messages include your location by default" field. Next to that is a checkbox – untick it.

One of the most disturbing aspects of this story is that Khanna is going to intern at Facebook – sure sounds like going to the dark side. Facebook is going to LOVE his skill set.

Hat tip to Rob Robinson.

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
www.linkedin.com/in/sharondnelson