Tracking Through Media: How Images and Videos Can Expose Your Location

While people are becoming more cautious about links, media files — like images and videos — still feel safe. That’s exactly what makes them the perfect vector for social engineering and tracking. In one of my recent projects, I developed a technique that embeds location-tracking capabilities into the process of viewing a video or image — with no link-clicking or obvious signs of compromise.

How the Project Works

The core idea is simple: a video or image is shared with the target (often disguised as something interesting or emotional). But instead of hosting that media on a trusted platform, it's embedded on a custom-built page that silently tracks the viewer’s IP address, browser fingerprint, and geolocation, then forwards that data to a remote server in real time.

Here’s what happens the moment they view it:

• 📍 IP Address and location (via IP geolocation) are instantly logged

• 🌐 Browser fingerprinting collects info on the device, OS, and plugins

• 🛰️ If permissions allow, the Geolocation API captures precise coordinates

• 🛠️ All data is sent silently via webhook (e.g., ntfy.sh, Discord, Telegram, or custom API)

Even if they don’t press play, just loading the page or previewing the image is enough to trigger the background logging mechanism.

If it was a video, once that start watching it we will be able to see their location

If they are using a Vpn, extra verification will be needed so we can determine their real address, and this will also access their camera to ka e a sneak shot

If we send them a picture this is how it will look.