Closed
Bug 1357733
Opened 7 years ago
Closed 6 years ago
The `devicelight` event allows information leaks.
Categories
(Core :: Security, defect, P3)
Tracking
()
RESOLVED
DUPLICATE
of bug 1359076
People
(Reporter: lukasz.w3c, Unassigned)
References
()
Details
(Keywords: privacy, sec-want, Whiteboard: [fingerprinting])
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 Steps to reproduce: I’d like to bring to your attention the fact that the feature allowing websites to access the light level reported by a device using either the devicelight event allows information leaks across origins. Specifically, it allows the detection of the screen color which leads “pixel-perfect” attacks (similar to https://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf but without the timing vector). Specifically an attacker can steal the contents of cross-origin images or frames and detect the color of links, allowing her to determine if a link has been visited by the user or not, bypassing dbaron’s fix (https://dbaron.org/mozilla/visited-privacy). The attack is not affected by the precision of the light sensor readout (at least as long as there is sufficient precision to distinguish a white vs. black screen) or the supported readout frequency. The issue is described and demonstrated here: https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/ tl;dr Please consider requiring browser permissions for access to light sensor readings.
Updated•7 years ago
|
Status: UNCONFIRMED → NEW
Component: Untriaged → Security
Ever confirmed: true
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All
Comment 1•7 years ago
|
||
Bug 1292751 is another example where the high-resolution sensors covered by dom.sensors.enabled lead to privacy/security issues.
See Also: → gyrophone
Comment 2•7 years ago
|
||
(In reply to François Marier [:francois] from comment #1) > Bug 1292751 is another example where the high-resolution sensors covered by > dom.sensors.enabled lead to privacy/security issues. Do you mean device.sensors.enabled ?
Comment 3•7 years ago
|
||
(In reply to Simon Mainey from comment #2) > (In reply to François Marier [:francois] from comment #1) > > Bug 1292751 is another example where the high-resolution sensors covered by > > dom.sensors.enabled lead to privacy/security issues. > > Do you mean device.sensors.enabled ? Yes, sorry that was a typo.
Updated•7 years ago
|
Priority: -- → P3
Whiteboard: [fingerprinting]
Comment 4•7 years ago
|
||
Bug 1299454 may be relevant for readers
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•