New Vytal Chrome Extension Hides Location Info that your VPN Can’t
A new Google Chrome browser extension called Vytal prevents webpages from using programming APIs to find your geographic location leaked, even when using a VPN.
Many people use VPNs to hide their location or connect from another country while browsing the web. People do this for various reasons, such as bypassing censorship, geographic blocks, or simply having additional privacy on the Internet.
Using this information, a website can determine what country, or at least geographic region, a visitor is from and continue blocking content or track general information about the visitor, even if they are using a VPN.
Vytal aims to close the gaps
Last night, the developer ‘z0ccc’ shared the new Vytal Google Chrome extension on Y Combinator’s Hacker News, asking readers to provide feedback on the functionality.
“Most extensions that provide anti-fingerprinting features rely on content scripts to inject script tags into webpages. There are many limitations to script tag injections which you can read about here: https://palant.info/2020/12/10/how-anti-fingerprinting-exten…
“Vytal utilizes the chrome.debugger API to spoof this data. This allows the data to be spoofed in frames, web workers and during the initial loading of a website. It also makes the spoofing completely undetectable.”
For example, when this author connected to a VPN server in London, the Vytal.io site could still retrieve my device’s correct time zone, locale, and time, providing a general location of where I am located.
After installing the extension, you can specify your location from a list of pre-populated places, modify data to match your IP, or add a Custom location.
Users should note that when you select ‘Match IP’ and connect to a new VPN server, you need to click on the ‘Reload’ button to populate the extension with the new spoofed geographic location data.
For example, after connecting to a London VPN server and clicking the reload button, this same page now showed (for the most part) that I was located in the UK.
As you can see from the image above, the extension is not 100% perfect and can leak your correct information during the initial loading of a webpage.
As there is a slight delay between the pages loading and when the debugger starts spoofing the data, a user’s correct info can be retrieved during the initial loading of the webpage.
While this extension should work on all Chromium browsers, including Brave Browser, it cannot be ported to Mozilla Firefox as the browser does not support the debugger API.
z0ccc told BleepingComputer that the extension was initially created to prevent their location data from being leaked when using a VPN and prevent another project of theirs, called LocateJS, from detecting location info.
z0ccc plans on adding additional features to the extension to make it easier to use, including an allowed list of websites you commonly visit and should not receive spoofed data.
“Will probably improve the user agent feature so that you can select a user agent based on OS, browser, device etc. Will also add a whitelist feature in the future,” z0ccc shared via email.