Are you sharing your address on social media?

Do you share your full address on social media?  No, of course not, or at least I hope you are not.

But are you sharing enough information for someone to work out your address? Maybe!

Over time we share seemingly small amounts of information that put together could allow attackers to find your address. Photos are especially revealing!

Using this fictious Facebook account and I have seeded the sort of clues we have used to find address information in the past. Although this is Facebook, the same principles apply to other social media sites.

Obviously, the John we use in this post doesn’t exist and therefore any location found is unrelated.

Meet John Smith

Looking at the profile we can see he says he lives in Exeter. When doing any kind of Open-Source Intelligence (OSINT) there is an element of experienced guess work! The profile in this case says John lives in Exeter, we don’t know if this is fact or fiction, commonly when people post a location on Facebook like this it is usually a general area, the assumption being that it’s a wide enough location that the individual couldn’t be accurately located. However, commonly people who do post their location typically do live in the vicinity of the place posted, in this case Exeter, so we can assume it’s likely John lives in Devon somewhere.

John also says he is married, if his spouse is also on Facebook we have 2 sources of information to compare. Additionally, we can sometimes use other sources such as the Births, Deaths and Marriages register and electoral roll information to get a more accurate location.

John lists his place of work.  Searching for “Acme Widgets Ltd” and we could find they are based in Honiton, near Exeter in Devon so suggesting that John lives in the area. (Note: in this case Acme Widgets Ltd is fictitious).

Information shared	Risk
Approx. area	Low	Within Facebook this can be used to find friends, and is normally very wide area
Workplace	Low	Again, this will only give away a wide area of possible locations for the company the subject works for

 

Company records

Depending on the individual’s seniority within the workplace, this can also disclose the full home address of the individual.

If the company is a UK limited company they have to be registered with Companies house. This will include all directors and company secretaries recorded correspondence address.

I have found directors of smaller businesses will commonly list their own home as a correspondence address. Also directors will often be directors of multiple businesses, some will use a correspondence address some won’t.

It is possible to use your accountant’s address as your companies registered address. If you are a company director and are worried about your address being available on Companies House, talk to your accountant about using them as a correspondence address.

Information shared	Risk
Home address on Companies House	High	That’s it, address found!

 

Your kids

Parents LOVE sharing things about their children, this is a great way of working out peoples addresses. Fortunately, Facebook strips metadata such as geo location tags from images you upload. So we need to use artifacts in the images to help narrow the search.

That first day of school photos? The school logo will typically be on the blazer or jumper. They may tag the school in the post. It’s common to take the photo outside in front of the house. Can you see the house name or number? What colour is the door, how is the building constructed? What is the estimated age of the child, commonly parents will post what year they are going in to, this can narrow an age bracket and help identify the type of school. All of these are factors in allowing you to narrow down the location of the address.

On John Smith’s Facebook page there is a photo of his children going back to School.

This photo does give us some great clues and information; the house number, 2 school logos on the children’s tops & bag, the children estimated age, the house construction.

A reverse image search of the logo can really help to identify the school, however, commonly the school’s name will be included in the badge, combining this with a rough location such as Devon it’s easy to identify the school.

If the logo does not have a name, but you have a rough area searching council lists for the schools in the area servicing the particular age group will narrow the school search.  Finding the school(s) will allow you to identify the catchment area, commonly the house will reside within that part of the town or village, reducing the search further.

Even with lower resolution of photos taken from social media I have been able to identify school from images.

Information shared	Risk
Front of the house	Low – Medium	Every house is unique, this can be used to identify it on street view services. Why not take the photos in the back garden or just don’t publish them widely?
House Number	High	This can be easily removed with cropping it out of the image or pop an emoji sticker over it.
School Logos	Medium	Schools are easy to find once you have the logo or name even if they are pixelated, if possible, try not to include the logos at all, or again an emoji sticker can cover it

 

Post information

Looking at other photos John has posted we can review not only the image, but the message posted with it and the date and time it was posted, along with any comments from friends and family.

From this image we know the Anchor Inn is John’ local pub. Sadly a search for The Anchor Inn within Devon results in a LOT of results, around 58k results, we could sift through these and may get lucky. I’d always try a few on the first page or use image searching to see if any stick out.

The first image is of an Anchor Inn, in Beer in Devon. Streetview searches of the pub confirm this.

An interesting side note, the distinctive gold logo appears to have been changed prior to the image being uploaded to Facebook.  Google regularly update Streetview images, the road directly outside the pub has an image dated May 2018. The post is dated 2020, this suggests the image is an old image being reused at a later date.

Using the history view and gong back to January 2009 shows the distinctive gold lettering and Greene King branding.

Information shared	Risk
Your pub	Medium	Even just using a photo of the pub can give away its location just as much as checking in to the venue within the post.  Try not to include the name of the pub in the photos.
Landmarks \ small businesses	Low	Small business included in your photos can help pinpoint where the photo was taken & if you then confirm in the comments it is local, they can be used to work out the local area.

 

While in this example there is a lot going on in the town, small villages also have plenty of visual clues, which may not initially give the location away, can be used to confirm theories.

Taking stock

We now have:

• The house number
• The children’s school
• A rough catchment area
• The local pub
• The town
• The county.

All we need now is the street.

The photo earlier of the front of the house could be used with Street View, depending on the defining characteristics with the house and the size of the town, this could take a while!

Are there any other photos that can help us?  John has posted this one of a dog & a girl sat on the windowsill.

This image we have a tells us:

• The house has a sea view, but not right on the sea front, there is a road and land between.
• The house is on a one-way street.
• There is parking nearby.

With these pieces of information in addition to the other clues it is possible identify the road, allowing us to complete the address and validate it with a street view search.

Information shared	Risk
View from the house	Medium – High	This can show information that will be visible with Google Street View.

 

If John was a real person, we would now know his exact address, what his kids look like and their rough age, the school they go to and where he goes for a pint.

Fixing the mess

Whilst stopping using social media and posting images is one solution, for many people it is not something they wish to do. That’s understandable. For many social media can be a positive experience allowing the sharing of information with friends and family.

However, it’s important to be aware of the risks when you share content. Images you share will often include sensitive data, your school photos, take them in the house or at the rear of the house. Blur or crop images to remove content you don’t want to share. Choose angles when taking the photo to not disclose information.

When you check in or tag yourself at places you can give away snippets of location data about yourself, be that where you live or where you socialise. Consider if you need to share that and whether you need to tag in.

When sharing make sure you set the privacy settings correctly, share with Friends only, not friends of friends of worse still publicly.

Ensure you connect only with people you know and trust as what you post you online they can share outside of your control.

Finally, remember, that things you post to social media are there forever, you may want to consider pruning older content or adjusting the settings on older posts that you may have posted more widely to reduce the audience. This option within Facebook privacy settings will do them all in one go to save you manually editing them.

Keep safe and if you are business concerned about what you are leaking online, a thorough assessment of your OpSec will help you to understand what you are leaking to the internet.

Read more about OpSec in Red Teaming here.