Based on the screenshots it looks like the mac address is leaking out because its in the referer. I would guess this isn't intentional and shouldn't be hard to fix.<p>I've worked with a number of captive portal systems and they all basically work the same way. The AP/controller intercepts http requests and redirects to the captive portal page with identifying information about the device (ip,mac,ssid,ap_mac,etc.). The captive portal http server shows the user a splash page to accept terms or enter a username/password or a credit card. Once the captive portal server decides the user should be allowed onto the network it needs to communicate that back to the wireless hardware which is done with the user's mac address.<p>Based on the requests it looks like they have some ads/trackers on the splash page that are getting requests with a referer set to the original splash page url (which includes the client mac address). A no-referrer meta tag or an intermediate redirect would prevent this from happening.
Milan Airports answered that they have submitted the issue to the "Information technology staff"<p>source: <a href="https://twitter.com/pimterry/status/1192038174408753152?s=20" rel="nofollow">https://twitter.com/pimterry/status/1192038174408753152?s=20</a>
On my Mac, I leave this running all the time:<p><a href="https://github.com/halo/LinkLiar" rel="nofollow">https://github.com/halo/LinkLiar</a>
iPhones randomize the MAC address when connecting to hotspots (on a per-ssid basis, I think?). Other platforms do too (Windows 10 now has an option to do that automatically as well, but I can’t recall if it is enabled by default).
Does anyone have a theory on what the "advertisers and trackers" want a MAC address for? If they're using it for anything load bearing, it seems like there is an interesting CCC talk lurking here for anyone who wants to visit that airport with a few hundred dollars worth of devices and stuff a few tens of million spoofed MAC addresses into the system.
The problem with constantly shuffling MAC addresses is that they are used for device authentication on corporate/school/university networks. Does anyone know of a utility that generates MAC addresses as a hash of the SSID?
Great. Guess they have the MAC address of my laptop from when I was there last week then. Fortunately it was a burner Chromebook running Gallium Linux so that makes me care a little less.
What I'm more worried about are probe requests, because sometimes I forget to turn off the wifi. Do you know whether the MAC address, or other identifying data, is sent in this case?
Oof! Does anyone recommend any tools for protecting against this sort of stuff? I feel like a VPN wouldn’t even be enough here since the MAC address is coming through the headers.<p>Edit: typo
Can someone post a TLDR? Twitter blocks Tor exit nodes, so the content is unavailable:<p>> 403 Forbidden: The server understood the request, but is refusing to fulfill it.