Gowalla is an application that claims to be “the easiest way to share places you go with friends”. The application runs on iPhone and Android devices, and uses your GPS location to create “Spots”, and allow you to Check In at a Spot. You can tie your gowalla account to your twitter account, or your facebook account, so that updates are automagically posted to these services. When Adam pointed out the research he had done with decloaking a user’s private checkins, I noticed that part of the information posted was the GPS lat and long. This got me wondering if I could go ahead and post a false lat and long to checkin from someplace other than where I was currently sitting (which is usually my couch). Some discussion ensued, and shortly Adam sent me a couple scripts he had hacked up that would allow me to create a Spot, then checkin from that Spot. All I need to provide is GPS coordinates, and associated trivia like a comment, a name for the spot, etc.

So I took a trip to Mt. Everest. One of my followers on twitter (Hi Adam!) retweeted my checkin, and within a very short time (definitely less than 30 minutes, but I can’t be more exact than that), my account had been removed, along with my Spot for Mt. Everest.  This irritated me a little bit. In my eyes it would have been appropriate to at least contact me and say “Hey, you’re bending the rules, knock it off,” but they didn’t, it was just wholesale account-slaughtering time. After reading through the Terms of Service and not finding anything that I could see that I had violated, I went ahead and created a new account, “gowalla sucks”, using the same email address and twitter account I had used on my previous account. Then I went to Antarctica.

After confirming that the spot was created, checking in, and making sure it posted to my twitter feed, I went about my business for awhile. A short time later I came back to gowalla, to see if they had trashed my new account, only to discover that my name was now “gowalla isyournewbestfriend”, which I think was a much more appropriate response than just removing the account, and pretty funny, to boot.

It is worth noting at this point that I don’t have an iPhone, nor an Android device. These scripts interact with the Gowalla API directly from the webpage. Which brings us to the moral of the story: much has been said about the wisdom of advertising your location to the whole wide world (check out pleaserobme.com if you haven’t yet), but little so far about advertising false locations, which could be just as problematic. The day is not far off when a criminal will try to use a facebook status update, or a gowalla post as an alibi, stating “I couldn’t have killed my wife, I was across town, here is proof!” (if it hasn’t happened already). Of course, the flipside actually adds a layer of obfuscation: Need to fool your stalker? Just post a bunch of bogus updates, and she’ll run herself ragged trying to track you down. Food for thought, nothing more…

Thanks to Adam, Adam, and the penguins in McMurdo Sound for their support and assistance bringing this (sort of)important issue into the light.

UPDATE: While I was typing this up they removed my spot for McMurdo Station Ice Runway. Shame on you gowalla! There’s nothing in your terms of service that says I have to check in from WHERE I ACTUALLY AM.

It seems that every day people around me are sharing more and more “status” information with each other. Whether or not that is a good idea is best left for another conversation, but here’s an argument for not sharing: Like a lot of people, I tried out Gowalla. It was fun to spam my friends with random locations I was visiting, mindlessly whoring out information to the public about my whereabouts. I figured after using the service for a little while that it might be a good idea to just tell my friends about where I am rather than broadcast it to the whole world (pleaserobme.com), and enabled the private profile option.

Per Gowalla the private profile option will:

If you choose to turn Passport Privacy on, your stamps (the places you’ve been) and your items will only be visible to your friends.

Not wanting to take their word for it I had to take a look at the various ways of accessing the data that was to be private. Turns out that through a series of API calls this information is still available. The process I used is outlined below.

1. First we need to find a user to stalk decloak. You can either guess at a username (turns out a lot of people like to use the same Gowalla username as their twitter username, go figure). We will use mine for the sake of demonstration, but here is another protip: If you don’t know the username just go through ID’s and brute force all the accounts. It appears that Gowalla’s userids increment in a predictable manner. Also, it’s important to note that gowalla.com/users/adam_baldwin and gowalla.com/users/53172 bring up the same user information.

2. Now we need to find out the number of stamps a user has using the URL below. If the number is 0 there is a chance the profile is private.

http://gowalla.com/users/%d/stamps?limit=1

Making the request requires that you mimic the web api. So some fancy headers are in order. Something like..

headers = {‘User-Agent’:user_agent,
‘X-Requested-With’:'XMLHttpRequest’,
‘X-Gowalla-API-Key’: ‘fa574894bddc43aa96c556eb457b4009′,
‘Accept’:'application/json’,
}

3. Next we get the user information. If the stamp count is > 0 the profile is definitely cloaked (private) and we need to do a little more digging.

http://gowalla.com/users/%d.json

4. The following URL will give you all the locations in which the user has checked in. It’s not really all that useful as it’s just the location.

http://gowalla.com/spots?checkins_user_id=%d&order=checkins_count+desc

5. This is where things get interesting. If you use the checkins_url value from each spot in step 4 and go request the data, you get all of the checkins for that spot. Including the checkins for the user that are supposed to be private. Iterate through them looking to see which one has a user url that matches your targeted user and now you have date and time of the check in.

Here is what my passport looks at the time of this writing, go look for yourself at http://gowalla.com/users/adam_baldwin

Here is what the output of the decloak.py script.

53172   Adam Baldwin (adam_baldwin)
Texas
checkin – 2010-02-10T04:56:26+00:00
Washington
checkin – 2010-01-10T23:45:20+00:00
IAH George Bush Intercontinental
checkin – 2010-02-10T04:56:26+00:00
Airplane Waiting On Tarmac
checkin – 2010-02-12T15:08:22+00:00
Tri-Cities Airport (PSC)
checkin – 2010-02-12T22:41:51+00:00
…

If you bothered to read this far then YOU WIN A BONUS!!!! Gowalla recently released their read-only API for developers. It comes with a handy tool for testing out and learning the API.

Here is the URL as showing in the screenshot above. XSS ftw?

http://gowalla.com/api/explorer#/spots?lat=30.2697&lng=-97.7494&radius=50″><script>alert(‘xss’)</script>

Gowalla was notified on March 4th about these particular issues.