Can Third Parties Obtain My MAC Address?

MAC address. No, not the kind you eat, but the type embedded in your device’s hardware. This unique MAC address is a critical part of your device’s connection to the internet, and understanding it can help you protect your privacy.

This article will delve into MAC addresses, explaining what they are, how they differ from IP addresses, and why they matter. We’ll also explore real-world cases highlighting MAC addresses’ importance and potential risks.

What is a MAC Address?

MAC addresses are like the secret code that helps your device communicate with the rest of the internet. It’s like having a secret handshake that only cool people (i.e., devices on a network) know.

Think of it like this – every device on the internet has a unique identifier, like a digital name tag. The MAC address makes your device’s name tag stand out from all the others. It’s like your device’s unique superpower that helps it connect to all the internet services.

And get this – while your IP address (another internet identifier) can change, your MAC address is with you for life! It’s like a loyal companion always by your device’s side. And because it’s unique to your device, it can help track what your device is doing on the network.

IP Address vs. MAC Address

An IP address is another way to ID devices on a network. You’ve got internal devices used for local network devices and external ones that internet service providers (ISPs) hand out for internet communication.

But a MAC address is different – like a name tag for your device’s network connection. Every type of network interface, from your Wi-Fi card to your Ethernet port to your Bluetooth adapter, has its unique MAC address.

The chances of having the same MAC address as someone else are like winning the lottery. No wonder, then, that we are asked this question so frequently – if websites can obtain your MAC address, then it is a significant risk.

Is your MAC address private?

Let’s return to our original question: Are MAC addresses obtainable by sites you visit? The short answer is no. it essentially isn’t; previously, technologies like Java and Flash made it possible, but with these now deprecated or obsolete, the main remaining methods are somewhat more roundabout.

This does not, however, mean this isn’t an important point for businesses reliant on browser privacy. As we explain, it provides a clear path to where your priorities should lie.

First, however, a brief overview of how a MAC address could be obtained.

The TikTok case

While there is no longer a one-stop solution to get a MAC address, it is possible by combining information from different channels.

You may have seen the case of the Chinese app TikTok/Douyin, where news reports show that it collected users’ MAC addresses for 15 months. If you have launched the application, then TikTok knows at least your MAC address and, through this information, the brand of mobile phone you used.

Captive portals

Internet-connected devices in shopping malls, coffee shops, stations, and more surround us. However, connecting to a public WiFi network has its risks. Connecting means you share your network adapter’s MAC address.

So far, so innocuous – until you see research from Concordia University showing some hotspots leak MAC addresses to numerous other parties. Pizza Hut leaks your MAC address to 11 domains, H&M Place Montreal Trust, and Discount Car Rental to six.

And the receiving domains? Top names include Alphabet (Google), Facebook, and Amazon.

Some hotspots, such as Pizza Hut and H&M, leak MAC addresses to numerous third parties.

Some of these third parties set persistent cookies that can sometimes last even as long as 20 years! While your mobile may hide or give a randomized MAC address, our PC or laptop won’t. While connecting, most computers will use the OS’s default browser, helping the persistent cookie to establish a relationship between our identity and MAC address.

DNS rebinding

DNS or domain name system gives us friendly website names – like google.com – instead of complicated strings of IP numbers like 142.250.180.110.

When we connect to that domain, under the cover, our devices ask the domain name server which IP address is assigned to what we browsed (e.g., google.com). To avoid repeatedly doing this, your device keeps the info for a period specified by the domain, called ‘time to live’ or TTL.

In our case, TTL is set deliberately short, so your device keeps making requests. Meanwhile, your browser executes a malicious script from that website. When the TTL quickly expires, your device makes another request – and the response returns a local IP, such as 192.168.1.1, belonging to your home router.

Eventually, the attacking website can access sensitive information, including the names of devices connected to the router and those devices’ associated MAC addresses.

Is this a concern for my business?

The examples above show that there is an element of roundabout risk that your MAC address can be obtained.

However, the critical lesson is one of the priorities for businesses dependent on preserving their privacy. MAC address is still one of our most frequently asked questions, yet the direct methods are defunct. In other words, people focus on an area of diminishing importance while letting slide some of the key concerns in keeping browser profiles watertight when running multiple accounts.

These areas of browser fingerprinting, mainly directly obtainable, can pose a significant risk to your business, so you must keep yourself and the technologies you use up-to-date.