Closed Bug 1357733 Opened 5 years ago Closed 4 years ago
The `devicelight` event allows information leaks
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 Steps to reproduce: I’d like to bring to your attention the fact that the feature allowing websites to access the light level reported by a device using either the devicelight event allows information leaks across origins. Specifically, it allows the detection of the screen color which leads “pixel-perfect” attacks (similar to https://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf but without the timing vector). Specifically an attacker can steal the contents of cross-origin images or frames and detect the color of links, allowing her to determine if a link has been visited by the user or not, bypassing dbaron’s fix (https://dbaron.org/mozilla/visited-privacy). The attack is not affected by the precision of the light sensor readout (at least as long as there is sufficient precision to distinguish a white vs. black screen) or the supported readout frequency. The issue is described and demonstrated here: https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/ tl;dr Please consider requiring browser permissions for access to light sensor readings.
Status: UNCONFIRMED → NEW
Component: Untriaged → Security
Ever confirmed: true
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All
Bug 1292751 is another example where the high-resolution sensors covered by dom.sensors.enabled lead to privacy/security issues.
See Also: → gyrophone
(In reply to François Marier [:francois] from comment #1) > Bug 1292751 is another example where the high-resolution sensors covered by > dom.sensors.enabled lead to privacy/security issues. Do you mean device.sensors.enabled ?
(In reply to Simon Mainey from comment #2) > (In reply to François Marier [:francois] from comment #1) > > Bug 1292751 is another example where the high-resolution sensors covered by > > dom.sensors.enabled lead to privacy/security issues. > > Do you mean device.sensors.enabled ? Yes, sorry that was a typo.
Bug 1299454 may be relevant for readers
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1359076
You need to log in before you can comment on or make changes to this bug.