{"id":19323,"date":"2017-10-23T16:02:55","date_gmt":"2017-10-23T20:02:55","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=19323"},"modified":"2017-10-25T16:48:00","modified_gmt":"2017-10-25T20:48:00","slug":"stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2017\/10\/23\/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api\/","title":{"rendered":"Stealing Sensitive Browser Data With the W3C Ambient Light Sensor API"},"content":{"rendered":"<p><a href=\"https:\/\/blog.lukaszolejnik.com\/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api\/\">Lukasz Olejnik<\/a> (via <a href=\"https:\/\/twitter.com\/rmondello\/status\/920313799617290242\">Ricky Mondello<\/a>):<\/p>\n<blockquote cite=\"https:\/\/blog.lukaszolejnik.com\/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api\/\"><p>To better compete with native apps, websites might soon be able to access ambient light readings. There is currently an ongoing discussion within a W3C Device and Sensors Working Group whether to allow websites access the light sensor without requiring the user&rsquo;s permission. Most recent versions of both Chrome and Firefox have implementations of the API.<\/p>\n<p>[&#8230;]<\/p>\n<p>Since a website can apply different styles to visited and unvisited links, but cannot detect how the links are displayed to the user, we use the sensor to identify its true color[&#8230;]<\/p>\n<p>[&#8230;]<\/p>\n<p>Potentially more troubling is the fact that attackers can extract pixel-perfect representations of cross-origin images and frames: essentially, discover how a given site or image looks for the attacked user (in our demo we focus on images because they are easier to exfiltrate). In extreme cases, for example on sites which use account recovery QR codes for emergency access to an account, this could allow the attacker to hijack the victim&rsquo;s account.<\/p><\/blockquote>\n\n<p>Update (2017-10-25): <a href=\"https:\/\/daringfireball.net\/linked\/2017\/10\/24\/w3c-ambient-light-sensor\">John Gruber<\/a>:<\/p>\n<blockquote cite=\"https:\/\/daringfireball.net\/linked\/2017\/10\/24\/w3c-ambient-light-sensor\">\n<p>I don&rsquo;t want web browsers to compete with native apps. I want web browsers to be document viewers that I can trust with anything.<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Lukasz Olejnik (via Ricky Mondello): To better compete with native apps, websites might soon be able to access ambient light readings. There is currently an ongoing discussion within a W3C Device and Sensors Working Group whether to allow websites access the light sensor without requiring the user&rsquo;s permission. Most recent versions of both Chrome and [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[248,279,456,30,100,1529,355,96],"class_list":["post-19323","post","type-post","status-publish","format-standard","hentry","category-technology","tag-android","tag-firefox","tag-googlechrome","tag-mac","tag-macbookpro","tag-macos-10-13","tag-privacy","tag-web"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/19323","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=19323"}],"version-history":[{"count":2,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/19323\/revisions"}],"predecessor-version":[{"id":19345,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/19323\/revisions\/19345"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=19323"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=19323"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=19323"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}