Marauders Map is stalking Facebook Messenger users

A new extension for Google's Chrome browser pushes the creepy needle into the red zone. Marauders Map tracks the location of anyone using Facebook Messenger who hasn't disabled its access to GPS location information from their smartphones.

The extension is so accurate it can pinpoint Messenger user locations to about a meter, and it can also search old messages to create a map of the user's travels during the past days or even weeks.

The developer of the app, Aran Kahanna, does not appear to be a creep. He's a young college student in Cambridge, Mass., who wanted to illustrate the dangers of unconsciously sharing personal data. I think he succeeded. (You can read Kahanna's blog post about Marauders Map here.)

Not only did Kahanna track the location of his Facebook friends, he figured out a way to keep tabs on anyone participating in group messages on Messenger, even if they weren't his Facebook Friends. For example, he tracked the location of someone in a poker group he belongs to and was able to pinpoint the man's dorm at Stanford University, as well as his specific room within the dorm. (The image shown above details the location of that man over several weeks as tracked by Marauders Map.)

It doesn't take a lot of imagination to think up some very bad ways that data could be used, whether it's for something violent or just intrusive.

There is, of course, a way to foil Marauders Map, and it's quite simple. Go into the settings of your smartphone and remove Messenger's ability to access your GPS information. So what's the big deal

The Messenger app grabs location data by default, and it's quite likely that many, maybe most, users don't even think about turning it off when they first install it. And because Facebook pushes users very hard to install Messenger, it's likely that tens or even hundreds of millions of people are sharing their location.

There's a larger point that goes well beyond the issue of Marauders Map, says Tim Erlin, director of IT security and risk strategy at Tripwire, an enterprise security provider. "We have accepted that location is something we share, and we share it with many apps, he says." And those apps may share it with people or companies that we don't know and have no reason to trust.

Your identity is made up of many discrete bits of information including your age, your address, your social security number, your employer, as well as your location at a given time. While any one of those may not reveal damaging information, it's the combination of two or more pieces of data that can paint a detailed picture of who you are, Erlin told me.

To illustrate his point, Erlin had me go to a site called Mylife that collects publicly available data on millions of people. It's unclear to me what Mylife purports to do, but I was not happy to see that it listed the names of several close family members, the exact addresses of the last six places I've lived, many of my old phone numbers, my age, recent employers, and more.

In his blog post, Kahanna mentioned that Facebook may disable code that allows Marauders Map to work with Messenger. In fact, when I installed Kahanna's invention, I couldn't get it to work, so maybe it's already dead.

But the point remains. We're all sharing far too much data for our own good.


Bill Snyder

Zur Startseite