The Geolocater Firefox Plugin
Firefox is probably the easiest tool to use when faking your location. To see how this works you can type "about:config" in the URL box and then search on "geo". This pulls up the geolocation configuration in Firefox. The "geo.wifi.uri" setting can be changed to something other than the Google location service. For example, change the "geo.wifi.uri" value to any URL that will generate some JSON with location coordinates. The Geolocater Firefox plugin automates this for you. Simply install the "Geolocater" and search for a location using the search feature to automatically change your location. Get creative! You can go anywhere you want. Amaze your friends!
To test this out with Facebook Places you will need to use the Facebook mobile website: touch.facebook.com. Click on "Places" and Firefox will prompt you to allow Firefox to retrieve your location. Next, find a suitable location to check into like the Alien Research Center and tag some of your friends with you. I'm sure they won't mind.
FakeLocation iPhone Application and Fake Location for Android
The other easy way to fake your location is to simply use your iPhone or Android mobile device. For the iPhone (jailbroken of course) there is an application available in Cydia called FakeLocation. FakeLocation lets you select any location you want on a map and choose which applications you want to use to fake your location. Simply install it in Cydia, run the app, and choose the apps in which you want to use your fake location coordinates. Next, select where you want to be.
Finally, fire up the official Facebook app, then click on "Places" and you will notice that the FakeLocation app is working with a little notice that your location is being faked.
You can then check-in and tag your friends just like on the touch.facebook.com website. Android users can use an app called "Fake Location" which from what I can tell has the same functionality as the iPhone app.
One thing I noticed during my testing is that Facebook does have some checks in place that won't allow you to check-in at two locations within a large distance. You might get an error that says "The checkin is a significant distance from the user's previous checkin in too short a timeframe". I thought this was going to be a problem until I started to test this out a bit further. This check seems to be based on time, not distance. For example, checking into the Monroeville Mall (home of the Zombie Museum) then checking into the Spy Museum in Washington, DC blocked me after about a five minute window. I waited approximately 17 minutes and I was able to check-in at Washington, DC successfully. Actual distance from Monroeville, PA to Washington, DC is approximately 233 miles! A drive is about 4 1/2 hours; I made it in 17 minutes.
What Does All This Mean?
Now that the biggest social network on the block with its 500 million users is ready to play in the location based sandbox, Facebook is strategically poised to take over location based social networks. The problem that businesses, which might want to use location based services for actual business, haven't realized is that it's trivial to "game the system." Businesses have started to "trust" that people would never do anything like fake their location, even though there have been plenty of extreme examples over the last year or so as well as the ones in this post. Examples like the ones shown here seem fun but the real problem is that location based services trust the location coordinates from the user. Services like these shouldn't trust location coordinates (or any input data) from a user; how do these services know the data is valid? Perhaps we will see "two-factor" location based check-ins in the future. Unfortunately, this is a tough problem to solve and is a much bigger problem than tagging your friends in strange places.
Looking for more on the latest hacks, exploits, and more? Head to the SecureState website for all of the latest on information security.
Tom Eston is a Senior Security Consultant for SecureState. Tom is actively involved in the security community and focuses his research on the security of social media. He is the founder of SocialMediaSecurity.com which is an open source community dedicated to exposing the insecurities of social media.