OSINT: The privacy risks of sharing too much information
In the past, I’ve written about digital privacy and how much data we leak through our day to day interactions. I think this is an important topic to consider and really focus on and it is an element of cybersecurity at both the enterprise and personal level that isn’t discussed enough. One of the reasons is that demonstrating this can definitely have elements of “being creepy.” With software vulnerabilities, we can obtain the software ourselves and demonstrate the vulnerability. That’s more difficult to do with privacy related information as anyone who could consent is someone that you likely know a lot about already.
One exception to this is a YouTuber that my wife and I enjoy watching on the channel GeoWizard. Much of what happens on that channel is tied to the web-based game Geoguessr. Another aspect of the channel, however, is the Geo Detective series of videos where GeoWizard is sent images from fans and attempts to use background clues to identify exactly where they were in the world when the photo was taken. My wife and I will often play along, pausing the video after the image is shown and timing ourselves finding the location, then we’ll watch how GeoWizard approaches the problem and eventually find out if we were correct.
My wife and I have taken this game and expanded it, applying it to photos and videos posted by celebrities and influencers. It is definitely a weird way to pass the time, but we’re both really passionate about learning new things and you learn a ton when you’re trying to place where an image was taken. In the past, we have successfully identified locations visited by several of our favourite content creators.
The Risks of Posting too Much Information
Recently, a content creator we regularly watch moved. They posted on Twitter when they bought their new home and after moving they posted a walkthrough video of their new home. This is where my warning comes in. Everyone should heed this warning, but if you have an audience, especially one that knows the name of the city in which you live, you should pay close attention here. In the past, we have attempted to privately warn people who have clearly posted too much information, but that typically results in them ignoring us or blocking us. So, this time, I’m trying a public plea that I hope people will read.
When this creator posted their walkthrough, they showed the view outside, including surrounding buildings. My wife and I were able to pause the video and within 30 minutes identify the part of the city in which they were located. After another 15 minutes, we had identified the building in question. This is already concerning, but the available data did not stop there.
Within minutes of finding the name of the building, we were able to identify publicly available sale data and using details from the walkthrough video, identify which unit it was. We were able to confirm this by mapping the individuals original tweet to the sale date of the unit. This then gave us details such as the real estate agents involved, the sale price, the condo fees, and more. From that, we found the balcony and windows associated with the unit and were able to confirm that the views matched the video walkthrough. We also had a detailed floor plan at this point.
If all of this sounds scary, that’s because it is. We’re just a bored, middle age couple that had nothing better to do on a Friday night, but what if that wasn’t the case? There are plenty of stories of fans showing up at the homes of content creators, or stalkers breaking into their homes while they are out or, worse, asleep. I have been saying for years that this type of information leakage is incredibly dangerous. It just takes one unhinged individual to discover this same information and use it in a negative way.
So, that’s it… another story about how cyberstalking from a single image or comment can reveal a plethora of real-world data. While I doubt any influencers or celebrities will read this and think about their safety, I hope that they will. If you know anyone who is in the public spotlight, send them this article. Hopefully, they’ll give it a read. If they do have any questions, they can always reach out to me for answers.