📍 Free Tool That Pulls GPS, IP, and Selfies From a Click

Every website you open can ask your browser for permissions — same way phone apps do. “Allow this site to use your location?” “Allow this site to use your camera?” You’ve tapped these popups a hundred times.

Normal sites only ask when there’s an obvious reason — Google Maps for directions, Zoom for your meeting, your bank for check scanning. r4ven is a webpage whose ONLY job is to dress those popups up as normal, then ship whatever it gets to the attacker’s Discord channel.

That’s the entire mechanism. No malware. No exploit. No fancy hacking. Just a webpage exploiting one universal habit: tapping Allow without reading.

:light_bulb: The real kicker: even if the target taps Block on the popup, the page already silently grabbed their IP, device model, browser, OS, and rough city — the second they clicked the link. That part needs no permission at all. The GPS pin and selfies are just the bonus prize for tapping Allow.

Odysee

R4ven - Track Someone’s Location Over The Internet

The tool hosts a fake website that uses an iframe to display a legit website and, if the target allows it, it will fetch the target’s GPS location (latitude and longitude), and capture multiple pictur…


:star_struck: Why it’s awesome

  • :free_button: Free, open-source, 1.3k stars — anyone can read every line of the code
  • :bullseye: Works because the weakness is human, not technical — same reason real phishing works
  • :cloud: “Run in Google Cloud Shell” button on the repo — zero install needed to play with
  • :performing_arts: Pairs with a URL masker so links look like youtube-shorts.com/abc123 instead of an ugly IP address
  • :mobile_phone_with_arrow: Captures arrive in Discord like notifications — easy to scroll back through later
  • :brain: Best phishing-awareness teacher in 5 minutes — once your own GPS pin shows up in your ownDiscord from your own click, the lesson sticks for life

:game_die: Fun use cases

Use case The vibe
:test_tube: Test it on yourself Send the link to your own phone, watch your data pour out in real-time. Eye-opening doesn’t cover it.
:fish: Smoke out a catfisher “Wow you’re really in Miami?” → “wanna see my pic?” link → coordinates say Lagos call center
:magnifying_glass_tilted_left: Sniff a sketchy seller Marketplace seller claims “local pickup only” but the messages feel off — one click, truth confirmed
:teacher: Family security demo Run it at the dinner table on someone who consents — instant lesson on why permissions matter
:mobile_phone: Find your own lost phone Email yourself the link, click it the moment you spot the phone briefly, get coords back
:ninja: Authorized pentest demos Red-team gigs, classroom labs, security meetups — exactly what it was built for

:light_bulb: Obvious caveat: aiming this at someone who hasn’t consented is illegal in most countries. The fun is in understanding the trick, not weaponizing it. Run it on yourself or active scammers — not your ex.


Repo: github.com/spyboy-productions/r4ven


Run it on yourself first. Watch your own coordinates land in your own Discord from a single click. That’s the moment “Allow Location?” stops being a reflex tap — forever.

9 Likes