Using a vpn with firefox, and location is leaked

Im using a vpn with firefox and my location is leaked. Careful, you are not anonymous. How is firefox accessing my actual location?

According to sites that tells u your ip, like whoer.net, im actually in russia.
But when i check the whereami website, im exactly where i live.
it also give me the same results with chrome.
I have to authorise the website to let him access the info. But how come it knows? Where in my browser is this information stored??
Using internet explorer, the whereami website says that it cannot know where i am.
Using tor, it says the browser is not compatible.
But firefox is definitely giving that information! This is freaking.

As long as you don’t grant access, sites using the HTML 5 geolocation API can’t access your location.

If you want Tor’s behaviour, what you want is to set geo.enabled to false in about:config.

I’m using a VPN, and when I let the site access my geolocation, it showed the location of the VPN server.

Disable webrtc . Go to ipleak.net, it will show that the webrtc is responsible for it.

There are a few ways I can think of that this would happen. First, if your VPN is ipv4-based and you have ipv6 enabled on your computer, you could be accessing sites or leaking info via ipv6 - try disabling IPv6 in your network properties.

Next, in your VPN config, make sure “Use Default Gateway on Remote Network” is enabled. This means ALL traffic will flow over the VPN.

  • right-click the VPN connection
  • click “Properties”,
  • click the “Networking” tab
  • double-click “Internet Protocol Version 4 (TCP/IPv4)”,
  • click the “Advanced…” button,
  • and there it is: “Use default gateway on remote network”.
  • Click OK three times.

Like other said, remove access to your location data. Follow their instructions.

OK
I found one answer
I checked Tor setting and the following string is empty.
geo.wifi.uri default string

by default it is set to https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_API_KEY%
by firefox.

Well. Empty this string and even if you authorise firefox to access your location, and have javascript enabled then fire wont be able to see your location. At least not like this and using this website protocol.

I wonder how the %GOOGLE_API_KEY% is generated, and where it is stored in firefox.

-your computer’s IP address,
-information about the nearby wireless access points, and
-a random client identifier, which is assigned by Google, that expires every 2 weeks

ok, so it means i cant use my wifi to connect internet or it may leak my location.
where is this google identifier stored? is there a way to edit/delete it? what are those “cell ids of the cell towers closest to you”?

False.
Imagine a website that would try to access your %GOOGLE_API_KEY% by another mean. It could guess your location.
emptying the geo.wifi.uri tag is maybe a temporary solution for this problem.

maybe because you are connected using ethernet?

i have no webrtc. i dont have dnsleak.
im using canvas defender.
i configured firefox about:config so it passes eff.org, ipleak.com, ip-check.info, whoer.net :
http://imgur.com/a/jLWS6
if i disable javascript i get location is 0.0
if i disable geo.enabled, i get this browser is not compatible.

If i use javascript, and geo.enabled.
When i give the browser the right to access my geolocation, it gets my location, even if i use a vpn.

Im using openvpn gui on windows. i disabled ipv6 on both vpn adapter and wifi.

I say i accept that firefox access my location. i didnt say i accept he run a scan with my wifi adapter and then define where i am. Im sure there is a thousand malicious way to access this information.

You would need to not click allow on the geolocation prompt. You would need to clear the geolocation access by clicking on the (i) icon to the left of the address in the address bar.

Do you really think Mozilla creates a new API key for each Firefox user? That would be abusing Google’s API.

This API key is unique key for all users (it’s a compile time variable, so it can’t be set dynamically), which means anyone who finds it can only find the location of a random Firefox user in the worse case.

Haven’t had an ethernet-conected laptop in years. All wifi.

My guess is that your VPN is leaking info, either via DNS requests or something else. You might be directing some traffic through it but not all traffic, and that may be where the geolocation is picking up your true IP from.

i have no webrtc.

How do you know? Have you tested for it?

https://diafygi.github.io/webrtc-ips/

the question is not if you allow or not. the question is how does the %GOOGLE_API_KEY% is generated, and how does firefox is helping generating it.

Sorry i dont get it.
%GOOGLE_API_KEY% is a variable that is the same for all users you say. But when running the https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_API_KEY%
it returns a very specific user related data (example) : {
“location”: {
“lat”: 51.0,
“lng”: -0.1
},
“accuracy”: 1200.4
}

So you could replace the geo.wifi.uri with a latitude and longitude to result another location.
So how is a generic variable is resulting my specific location?

Google API key is Mozilla’s key it is unique to Mozilla, not your install of Firefox.