Closed Bug 1357733 Opened 7 years ago Closed 6 years ago

The `devicelight` event allows information leaks.

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Version:
52 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1359076

People

(Reporter: lukasz.w3c, Unassigned)

References

(
URL
)

Details

(Keywords: privacy, sec-want, Whiteboard: [fingerprinting]) 

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

Steps to reproduce:

I’d like to bring to your attention the fact that the feature allowing websites to access the light level reported by a device using either the devicelight event allows information leaks across origins. Specifically, it allows the detection of the screen color which leads “pixel-perfect” attacks (similar to https://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf but without the timing vector).

Specifically an attacker can steal the contents of cross-origin images or frames and detect the color of links, allowing her to determine if a link has been visited by the user or not, bypassing dbaron’s fix (https://dbaron.org/mozilla/visited-privacy). The attack is not affected by the precision of the light sensor readout (at least as long as there is sufficient precision to distinguish a white vs. black screen) or the supported readout frequency.

The issue is described and demonstrated here: https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/

tl;dr Please consider requiring browser permissions for access to light sensor readings.
Status: UNCONFIRMED → NEW
Component: Untriaged → Security
Ever confirmed: true
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All
Bug 1292751 is another example where the high-resolution sensors covered by dom.sensors.enabled lead to privacy/security issues.
See Also: → gyrophone
(In reply to François Marier [:francois] from comment #1)
> Bug 1292751 is another example where the high-resolution sensors covered by
> dom.sensors.enabled lead to privacy/security issues.

Do you mean device.sensors.enabled ?
(In reply to Simon Mainey from comment #2)
> (In reply to François Marier [:francois] from comment #1)
> > Bug 1292751 is another example where the high-resolution sensors covered by
> > dom.sensors.enabled lead to privacy/security issues.
> 
> Do you mean device.sensors.enabled ?

Yes, sorry that was a typo.
URL: https://blog.lukaszolejnik.com/steali...
Keywords: privacy, sec-want
Priority: -- → P3
Whiteboard: [fingerprinting]
Bug 1299454 may be relevant for readers
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.