We have gotten Firefox fingerprinting about as tight as possible for a web extension that spoofs your location. Most practical methods to detect lies in the browser are patched (to my knowledge).
That being said, Firefox does expose a couple of niche OS-level apis that do expose your system date/time, including Web Workers. There is nothing any extension can do about this. Realistically, the vast majority of trackers and websites are not using these to determine your timezone. However, it IS possible, therefore I cannot recommend this extension for those with extreme threat models. If you are worrying about this, you should be using TOR or Mullvad instead.
One workaround for the above is to set your system OS date time to the GeoSpoof timezone. This actually completely passes the Arkenfox fingerprinting test suite here: TZP
Otherwise, this is about as good as you can spoof location data on Firefox, Chrome, etc.
Thanks for the response, but it still doesn’t work. I really can’t figure this out. At the end of the day, is it an important feature?
So let me tell you my setup at the moment. I’m wondering if GeoSpoof is making a difference or not. My Android phone is connected to a router using a VPN. On my Android, I’m using another VPN app, so I’m effectively getting a multi-hop with two different providers. The VPN app can also enable mock GPS, which I have enabled. It gets the GPS location to the VPN location. Finally, I’m using your extension with Firefox. I have location and WebRTC protections enabled. The sync with VPN still doesn’t work for me. Instead, I searched up the city of the VPN that my router is using. I know it sounds confusing, but is the obfuscation likely to work?
Your setup sounds solid and your workaround is correct. Manually setting the city to your router VPN’s location is exactly what VPN Sync would have done automatically. The browser-level spoofing should be working fine.
VPN Sync failing in a multi-hop setup may be a limitation, I haven’t checked that scenario. To help debug, can you share your VPN provider so I can try to replicate this? If you want to help me diagnose the VPN Sync issue, here’s what to do:
Enable debug logging: Open the GeoSpoof popup → Details tab → Advanced → enable Debug Logging and set verbosity to Debug
Open the extension inspector: Go to about:debugging in Firefox → This Firefox → find GeoSpoof → click Inspect
Capture logs In the inspector: go to the Console tab and clear it. Then click “Sync Now” in the popup. Copy and paste all the log entries.
Capture network requests: Still in the inspector, switch to the Network tab and clear it. Click “Sync Now” again. Right-click any request → Save All As HAR to export the network log.
That’s awesome! How did you make this work for iOS? I thought iOS was too locked down to make this work?! What about Brave or any other browsers on iOS?
I’ll get back to you this week; I have more time this weekend. I’m wondering if all this obfuscation will make a difference, or if I should simplify things? It sounds like I’m not missing a whole lot without being able to sync, which is good news.
Are you going to make this compatible with Brave on desktop and Android?
Will all Firefox-based browsers, including IronFox and Waterfox, be compatible?
I see that it’s also available on macOS, too? Is it possible for you to make it available for download outside the App Store? On my Mac, I refuse to sign in and use the App Store.
Unfortunately no way that I know of. You can only install Safari extensions through the App Store. I can do a bit of research to try to find a way around that but I’m not very hopeful
Oh wow. I hope there is a workaround. Really hate how I have to sign in to everything with an account these days. All of this surveillance is annoying!
I have been working on patching Web Worker timezone leaks, and made some significant progress in the most recent version of GeoSpoof (1.19.1). More updates to come
You can test your browser running GeoSpoof on my new experimental test suite: Verify your protection | GeoSpoof (disclaimer: may have bugs, still in progress).
Your link doesn’t work. It seems like it’s blocked on my end, and I don’t know why.
I’ve installed your extension on iOS. How come it doesn’t have webRTC protection like on Android? Is there any way to get the extension working on other iOS browsers, even if they’re skinned versions like Brave and Firefox?
I have a future update coming out adding WebRTC protection on Safari. It is trickier than Firefox but possible. I just haven’t uploaded the app build for iOS yet.
Apple doesn’t support extensions for other browsers on iPhone and iPad so that unfortunately is out of my control (except Safari)
Also, something is sounding a bit strange with your network setup if you can’t reach both my website and the sync VPN function. Can you try on a fresh profile of Firefox, Safari, Brave, or any browser? It is hard for me to know the issue without any details on your setup. I genuinely want to help you get to the bottom of it though
I agree, and I’m sorry if I’m the one causing the problem. I’m also using Control D and NextDNS as my DNS resolvers.
I’m still not comfortable installing your extension on my Mac because I have never signed into the App Store with it and don’t ever plan to. I really hope you’ll come up with a way to install it without the App Store.
Just saw an iOS update and it now adds WebRTC protection! @sgro, can you confirm that iOS is now at feature, performance, and security parity with Android? Anything else on your roadmap, or is this as good as it gets for Geospoof?
GeoSpoof v1.19.9 is now out on Firefox (soon to be on Chrome store and Safari) with a brand new feature.
Sync with VPN is now automatic. Previously, when you switched your VPN to a new server you had to open GeoSpoof and press Re-sync to move your spoofed location to match. Now GeoSpoof notices when your exit IP changes and re-syncs on its own, usually within a few seconds of your next page load.
It works across browsers (Chrome, Firefox, Brave, Edge) and with both desktop VPN apps and browser-extension VPNs.
A few details:
It re-checks your public IP as you browse, only doing the work when the IP has actually changed, so it stays light and won’t hammer anything in the background.
Re-sync is still there if you want to force an update the instant you switch, rather than waiting for it to catch up.
One thing to expect: a page you already had open when you switched servers may need a refresh and cooldown to pick up the new location due to some debouncing time (about 10 seconds) to prevent API throttling. Pages you open afterward get it automatically.
Please let me know about any bugs or regressions. I did testing but would love some feedback on my GitHub Issues page. Thanks
