Monday, October 23, 2017

Stealing Sensitive Browser Data With the W3C Ambient Light Sensor API

Lukasz Olejnik (via Ricky Mondello):

To better compete with native apps, websites might soon be able to access ambient light readings. There is currently an ongoing discussion within a W3C Device and Sensors Working Group whether to allow websites access the light sensor without requiring the user’s permission. Most recent versions of both Chrome and Firefox have implementations of the API.


Since a website can apply different styles to visited and unvisited links, but cannot detect how the links are displayed to the user, we use the sensor to identify its true color[…]


Potentially more troubling is the fact that attackers can extract pixel-perfect representations of cross-origin images and frames: essentially, discover how a given site or image looks for the attacked user (in our demo we focus on images because they are easier to exfiltrate). In extreme cases, for example on sites which use account recovery QR codes for emergency access to an account, this could allow the attacker to hijack the victim’s account.

Update (2017-10-25): John Gruber:

I don’t want web browsers to compete with native apps. I want web browsers to be document viewers that I can trust with anything.

2 Comments RSS · Twitter

>I don’t want web browsers to compete with native apps.

The rest of the world, meanwhile, does. Which I think is a good thing. We all profit tremendously from having a single, universal, global, networked application platform - most of all iPhone users, for most of whom this is the only way to run non-Apple-approved code on their devices.

>I want web browsers to be document viewers that I can trust with anything.

You can't trust document viewers with anything. Applications that "merely" view documents aren't magically safe from vulnerabilities. And, for that matter, native apps don't protect you from these kinds of intrusions either, so it makes little sense to demand that web apps should somehow be exempt from these APIs.

Yeah, I don't get Gruber at all many vulnerabilities have been found in PDF, image, and other media "viewers" over the years? Seems pretty common.

While I don't want every website to be a rich client pseudo app, I certainly don't mind Gmail, Hangouts, etc. Web apps have their place.

Leave a Comment