The `devicelight` event allows information leaks.

NEW
Unassigned

Status

()

Core
Security
3 months ago
3 months ago

People

(Reporter: Lukasz, Unassigned)

Tracking

52 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 months ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

Steps to reproduce:

I’d like to bring to your attention the fact that the feature allowing websites to access the light level reported by a device using either the devicelight event allows information leaks across origins. Specifically, it allows the detection of the screen color which leads “pixel-perfect” attacks (similar to https://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf but without the timing vector).

Specifically an attacker can steal the contents of cross-origin images or frames and detect the color of links, allowing her to determine if a link has been visited by the user or not, bypassing dbaron’s fix (https://dbaron.org/mozilla/visited-privacy). The attack is not affected by the precision of the light sensor readout (at least as long as there is sufficient precision to distinguish a white vs. black screen) or the supported readout frequency.

The issue is described and demonstrated here: https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/

tl;dr Please consider requiring browser permissions for access to light sensor readings.
Status: UNCONFIRMED → NEW
Component: Untriaged → Security
Ever confirmed: true
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All
Bug 1292751 is another example where the high-resolution sensors covered by dom.sensors.enabled lead to privacy/security issues.
See Also: → bug 1292751

Comment 2

3 months ago
(In reply to François Marier [:francois] from comment #1)
> Bug 1292751 is another example where the high-resolution sensors covered by
> dom.sensors.enabled lead to privacy/security issues.

Do you mean device.sensors.enabled ?
(In reply to Simon Mainey from comment #2)
> (In reply to François Marier [:francois] from comment #1)
> > Bug 1292751 is another example where the high-resolution sensors covered by
> > dom.sensors.enabled lead to privacy/security issues.
> 
> Do you mean device.sensors.enabled ?

Yes, sorry that was a typo.
You need to log in before you can comment on or make changes to this bug.