Every website you open can ask your browser for permissions — same way phone apps do. “Allow this site to use your location?” “Allow this site to use your camera?” You’ve tapped these popups a hundred times.
Normal sites only ask when there’s an obvious reason — Google Maps for directions, Zoom for your meeting, your bank for check scanning. r4ven is a webpage whose ONLY job is to dress those popups up as normal, then ship whatever it gets to the attacker’s Discord channel.
That’s the entire mechanism. No malware. No exploit. No fancy hacking. Just a webpage exploiting one universal habit: tapping Allow without reading.
The real kicker: even if the target taps Block on the popup, the page already silently grabbed their IP, device model, browser, OS, and rough city — the second they clicked the link. That part needs no permission at all. The GPS pin and selfies are just the bonus prize for tapping Allow.
![]()
R4ven - Track Someone’s Location Over The Internet
The tool hosts a fake website that uses an iframe to display a legit website and, if the target allows it, it will fetch the target’s GPS location (latitude and longitude), and capture multiple pictur…
Why it’s awesome
Free, open-source, 1.3k stars — anyone can read every line of the code
Works because the weakness is human, not technical — same reason real phishing works
“Run in Google Cloud Shell” button on the repo — zero install needed to play with
Pairs with a URL masker so links look like youtube-shorts.com/abc123instead of an ugly IP address
Captures arrive in Discord like notifications — easy to scroll back through later
Best phishing-awareness teacher in 5 minutes — once your own GPS pin shows up in your ownDiscord from your own click, the lesson sticks for life
Fun use cases
| Use case | The vibe |
|---|---|
| Send the link to your own phone, watch your data pour out in real-time. Eye-opening doesn’t cover it. | |
| “Wow you’re really in Miami?” → “wanna see my pic?” link → coordinates say Lagos call center | |
| Marketplace seller claims “local pickup only” but the messages feel off — one click, truth confirmed | |
| Run it at the dinner table on someone who consents — instant lesson on why permissions matter | |
| Email yourself the link, click it the moment you spot the phone briefly, get coords back | |
| Red-team gigs, classroom labs, security meetups — exactly what it was built for |
Obvious caveat: aiming this at someone who hasn’t consented is illegal in most countries. The fun is in understanding the trick, not weaponizing it. Run it on yourself or active scammers — not your ex.
Repo: github.com/spyboy-productions/r4ven
Run it on yourself first. Watch your own coordinates land in your own Discord from a single click. That’s the moment “Allow Location?” stops being a reflex tap — forever.
!