Seeker uses the browser’s own Geolocation API and fingerprinting techniques to harvest detailed location and device data, all disguised behind convincing fake web pages like Google Drive, WhatsApp, or Telegram login screens. It’s a practical demonstration of how social engineering combined with HTML5 APIs can bypass obvious technical barriers — simply by getting the user to click “Allow” on a location permission prompt.
what seeker does and how it works
At its core, Seeker is a proof-of-concept social engineering framework that hosts phishing-style web pages designed to look like legitimate services. These pages prompt the target to allow browser location access, and upon permission, Seeker captures very precise GPS coordinates using the HTML5 Geolocation API.
Beyond just GPS, Seeker harvests a detailed device fingerprint without any additional permissions. Using Canvas fingerprinting, it collects information such as the operating system, GPU model, RAM size, screen resolution, and browser version. This fingerprinting technique exploits subtle differences in how devices render graphics to uniquely identify them.
Seeker also gathers IP addresses — both public and local — and can optionally perform automated IP reconnaissance to enrich the data set. The collected information can be exported as KML files for visualization in Google Earth or sent directly to Telegram or a custom webhook for real-time alerts.
Under the hood, Seeker is built with Python, using the Flask web framework to serve the phishing pages and handle data collection. It’s designed to run on Linux distributions, Termux on Android, macOS, and even within Docker containers. For exposing the local server to the internet, it relies on tunneling services like ngrok or localhost.run, which is typical in penetration testing setups.
technical strengths and design tradeoffs
One of Seeker’s standout features is the way it combines social engineering with browser APIs to get around technical restrictions. It doesn’t exploit vulnerabilities or use malware; it simply relies on a convincing UI to get the user to grant location permission. This makes the attack vector very real-world and practical.
The use of HTML5’s Geolocation API ensures GPS accuracy within roughly 30 meters, which is quite precise for many tracking purposes. The device fingerprinting via Canvas API adds another layer of identification that is gathered silently without triggering extra permissions or warnings.
The codebase is surprisingly clean for a social engineering toolkit, focusing on modularity and ease of deployment. The Flask server handles HTTP requests and data logging cleanly, while the frontend mimics popular web services well enough to fool casual users.
The multi-platform support is a clear design strength. Running on Termux means it can be deployed on Android devices, which is handy for on-the-go operations. Docker support makes it portable and easy to integrate into containerized environments.
Tradeoffs are clear though: Seeker requires the target to actively allow location access, which limits its stealthiness to social engineering effectiveness. It’s not a silent exploit but a demonstration of how user consent can be manipulated. Also, heavy reliance on third-party tunneling services may introduce latency or reliability issues in real-world use.
Ethically, Seeker is meant for penetration testing and awareness demonstrations. Its power is tied to deception, so responsible usage and legal considerations are paramount.
quick start
Seeker provides straightforward installation and run commands across several platforms.
For Kali Linux, Arch Linux, Ubuntu, Fedora, Parrot OS, or Termux, use:
git clone https://github.com/thewhiteh4t/seeker.git
cd seeker/
chmod +x install.sh
./install.sh
On BlackArch Linux:
sudo pacman -S seeker
For Docker:
docker pull thewhiteh4t/seeker
On macOS:
git clone https://github.com/thewhiteh4t/seeker.git
cd seeker/
python3 seeker.py
To run in tunnel mode (e.g., with ngrok), install ngrok and start a tunnel:
brew install ngrok/ngrok/ngrok
ngrok http 8080
These commands get you from zero to running with minimal setup, ready to expose the phishing pages either locally or remotely.
verdict
Seeker is a practical toolkit showcasing the power of social engineering combined with browser APIs to harvest precise location and device fingerprint data. It’s not a stealth exploit but a demonstration that user permission dialogs can be manipulated to reveal sensitive information.
This repo is relevant for security researchers, penetration testers, and privacy professionals interested in understanding the risks tied to browser permissions and fingerprinting. It’s also a useful educational tool to show how seemingly innocuous actions like clicking “Allow” can have serious privacy implications.
The tradeoff is clear: it depends heavily on convincing the user, so it’s less about technical exploits and more about UX deception. The code is clean and the multi-platform support broad, making it accessible for real-world testing scenarios.
Use it responsibly and within legal boundaries — it’s a tool to learn from, not to misuse.
Related Articles
- GeoPulse: A lightweight self-hosted platform for GPS data to movement timeline transformation — GeoPulse turns raw GPS data from multiple sources into searchable timelines of stays and trips using automatic trip dete
- Inside the undetectable fingerprint browser: a Chromium-based anti-detection tool with consistency analysis — This Chromium-based browser spoofs fingerprints across multiple vectors with a consistency engine to avoid conflicting s
- Inside device-activity-tracker: exploiting WhatsApp timing side-channels for device state detection — device-activity-tracker is a TypeScript proof-of-concept exploiting WhatsApp and Signal delivery receipt timing to detec
- Google Maps Scraper: navigating the fragility of XPath-based browser automation — A Python Playwright scraper automates Google Maps data extraction using XPath selectors. It reveals the real maintenance
- LocationSimulator: system-level iOS location spoofing without jailbreak — LocationSimulator injects mock GPS coordinates into iOS devices via DeveloperDiskImage, enabling location spoofing witho
→ GitHub Repo: thewhiteh4t/seeker ⭐ 9,480 · CSS