Many websites customize their services according to different geo-locations of users, to provide more relevant content and better responsiveness, including Google, Craigslist, etc. Recently, mobile devices further allow web applications to directly read users’ geo-location information from GPS sensors. However, if such websites leave location-sensitive content in the browser cache, other sites can sniff users’ geo-locations by utilizing timing sidechannels. In this paper, we demonstrate that such geolocation leakage channels are widely open in popular web applications today, including 62% of Alexa Top 100 websites. With geo-inference attacks that measure the timing of browser cache queries, we can locate users’ countries, cities and neighborhoods in our case studies. We also discuss whether existing defenses can effectively prevent such attacks and additional support required for a better defense deployment.