An anonymous reader writes "Security researcher Adam Baldwin has identified that the Sprint and Verizon MiFi devices are vulnerable to a multitude of attacks. Combining these attacks together, an attacker can gain the GPS location of the MiFi device without the user becoming immediately aware. The attack can be successfully executed without authentication and even if the GPS has been disabled by the administrator."
There's a video, but a handy text summary, too. Upshot: "Any MiFi user that visits a specially crafted page will give up their GPS location to the attacker."