Microsoft Patches Geographic Location Positioning Service

On August 1, Microsoft released a change to its geographic location positioning service on July 30, 2011, so the location of Windows-based devices can no longer be easily tracked, addressing the issue, which was highlighted on July 29th. This change adds improved filtering to validate each request so that the service will no longer return […]

On August 1, Microsoft released a change to its geographic location positioning service on July 30, 2011, so the location of Windows-based devices can no longer be easily tracked, addressing the issue, which was highlighted on July 29th.

This change adds improved filtering to validate each request so that the service will no longer return an inferred position when a single Media Access Control address is submitted. Microsoft is keenly aware of the sensitivity around all privacy issues, especially those surrounding geolocation. Specifically, Microsoft said it improved filtering to validate each location request so that Windows devices, like phones and laptops, no longer return an exact location.

"While it was not possible to use the service to track a roaming mobile phone or laptop using its MAC address prior to this change, Microsoft is keenly aware of the sensitivity around all privacy issues, especially those surrounding geolocation," Reid Kuhn, partner group manager on the Windows Phone engineering team, said in a blog post.

"Microsoft's privacy and security team has been in contact with Elie and we will continue the ongoing dialog with experts in the privacy field to improve our service offerings. We thank Elie and his team for working with us on this issue," Kuhn wrote.

In a Sunday tweet, Bursztein said he had a call with Microsoft officials and that they had issued a live API patch.

Bursztein's research started last year using location data from Google. He wrote a module for OWADE, a forensic tool he developed with his colleagues, and used the Google geo-location API to locate routers using their MAC address. After a article revealed how easy it was to track this data (and potentially, your phone's location), Google changed its policies and Bursztein was out of luck.

As a result, he turned his focus to Microsoft since Internet Explorer also supports the W3C geo-location API and uses the Live Location API under the hood. "To my surprise, Microsoft's API did not enforce any query restrictions," Bursztein wrote in a July 29 blog post. "You can get the location for a single MAC address and do as many queries as you want."

Initially, Microsoft said it discards on-the-go data and only focuses on devices with fixed locations, but it later updated its system on July 30.

Bursztein will present his findings at this week's BlackHat security conference.

[Source: Microsoft Privacy & Safety]