4

There's a website and it shows two pieces of information for a user:

"IP location: [country]" and "Detected location: [country]".

When I use a VPN, the "IP location" country matches the VPN country, but the "Detected location" always shows the real country.

I have reviewed several methods mentioned in previous questions but this site does not seem to rely on them:

  1. It does not use HTML5 Geolocation API (the browser doesn't ask for location permission, and no location indication in address bar).

  2. WebRTC is off (tested).

  3. No DNS leaks (tested).

  4. Browser language matches VPN country.

  5. System time matches VPN country time.

  6. Using fresh browser; never logged without VPN.

https://whoer.net, which tests for several of these factors gives me: "100.0% Your anonymity measures are safe or you don't use them."

  1. I googled several sites which detect user location but not a single site could show the real country. So, what new or more sophisticated method is this site using?

  2. As per discussion with Steffen Ullrich, here are more details: The site is called Paxful (https://paxful.com). It (unfortunately) needs an account to use (but a basic/unverified account should suffice). Also need to chat with another user to see what I've described. On the chat window, clicking on "Details" will show "IP location" and "Detected location" at the bottom. I can provide more details if anyone wants.

kayan1
  • 41
  • 3
  • @kayan1: *"Does the language in the browser change automatically as you travel across countries?"* - no. It is intended to reflect the users preference about the language of the content and thus does not change when the user travels. – Steffen Ullrich May 24 '20 at 13:03
  • @SteffenUllrich. I see. I learned something new from you, so thank you. This doesn't sound like a reliable way of detecting location, so I'm guessing this site might not be using this. Do you know of any site that uses browser language, I'm curious to test it. Thanks. – kayan1 May 24 '20 at 13:23
  • @kayan1: *"This doesn't sound like a reliable way of detecting location, so I'm guessing this site might not be using this."* - how do you know that the specific site uses a reliable way to detect the location? *"Do you know of any site that uses browser language, ..."* - this is usually not used for location but to set the output language on multi-language sites. – Steffen Ullrich May 24 '20 at 13:30
  • @SteffenUllrich. I don't know. By saying "guessing" and "might", I am implying that I don't know ;) What I do know is that it's very clear that this site is using two different methods of determining country. One they label "IP location". This seems to be what ALL the location/IP websites are using and it see the VPN location. But they have a different method called "Detected location" which gives the real country. – kayan1 May 24 '20 at 13:54
  • @kayan1: Much better. I've voted for reopen, let's see if others agree. – Steffen Ullrich May 25 '20 at 19:42
  • @SteffenUllrich. Thanks for helping me. Sorry about before. I'm learning and hopefully do better in future. – kayan1 May 25 '20 at 19:48
  • Are you using a mobile device? Have you tried incognito mode? The Brave browser? – schroeder May 25 '20 at 20:08
  • @schroeder. Thanks for opening the question (apologies for prior). I tried both Windows laptop and Android mobile, same result (site sees real country). After your comment, I tried both incognito mode and Brave browser, but same result. I can change the VPN country and "IP location" refreshes to match, but "Detected location" still shows real country. Very perplexing ... – kayan1 May 25 '20 at 20:59
  • *"Also need to chat with another user to see what I've described.*" What **Chat APP**? Are you running their supplied chat code? – user10216038 Feb 20 '21 at 18:03
  • Is your VPN client for your entire machine or is it a *Proxy VPN* for your browser? – user10216038 Feb 20 '21 at 18:06
  • What happens if you visit the site with [Whonix](https://www.whonix.org/) or [Tails](https://tails.boum.org/)? – Joseph Sible-Reinstate Monica Jun 20 '21 at 23:49
  • *Using fresh browser*. Not that easy. Many browsers can recover data from a previous installation of same of previous version. And they could ask the system for various informations at install time to be able to configure themselves. Did you try to use the developper mode of your browser to check the actual data exchanged? – Serge Ballesta Oct 19 '21 at 09:14

2 Answers2

2

They may be checking your TimeZone instead of your Time Offset

Not all ways of checking a timestamp are the same. https://whoer.net/ looks like it checks your time offset, but you may not have changed your actual TimeZone.

Browsers generally do not ask permission to access your local time; so, you can grab a person's TimeZone without prompting any permissions. While I do not know if all countries have their own TimeZone codes, I know that most do. You can get a person's TimeZone with the following JavaScript command:

Intl.DateTimeFormat().resolvedOptions().timeZone

These timezones are way more specific than a standard UTF offset anyway. So, if I get "America/Denver", then I know you are in the United States, but if I get "America/Cancun" then I know you are in Mexico. I just tested this using Brave's Tor and it still exposed my actual timezone even though I was connecting through another country.

To test if this is what they are doing, try changing your computer's region and timezone (not just your time) and seeing if that fools it.

Nosajimiki
  • 1,799
  • 6
  • 13
0

To the question about Google Maps: If you allow Google Maps web site to access tHTML Geolocation API and if the browser has permission to access your device location information, then Google Maps will know your location from your device.

mentallurg
  • 8,536
  • 4
  • 26
  • 41
  • Hi, thanks but my question is not about Google Maps. My point in mentioning GM was the contrast, that GM needs specific permission. If you don't allow, it sees the VPN county. But with this site the browser doesn't ask location permission, so I know it isn't using geo-location, yet it knows the real country. – kayan1 May 23 '20 at 21:30
  • Country can be determined (in many cases, but not always) by browser *Accept* header. An example: *Accept-Language: fr-CH, fr;q=0.9, en;q=0.8, de;q=0.7, \*;q=0.5*. But coordinates cannot be determined. – mentallurg May 23 '20 at 21:39
  • Hi, but this is a long list of countries. Can you help elaborate please? – kayan1 May 23 '20 at 22:02
  • In this example we see that the browser uses country code CH which means Switzerland. Means, very probably the user is located in that country. Of course the user can be traveling and actually be in the US or in China, not in Switzerland. Or user uses a browser extension to fake it. But for the most of the users the most of the time this information will show their country. – mentallurg May 23 '20 at 22:07