In this post we describe and demonstrate a neat trick to
exfiltrate sensitive information from your browser using a
surprising tool: your smartphone or laptop’s ambient light
To better compete with native apps, websites might soon be able to
access ambient light readings. There is currently an ongoing
discussion within a W3C Device and Sensors Working Group whether
to allow websites access the light sensor without requiring the
user’s permission. Most recent versions of both Chrome and Firefox
have implementations of the API.
I don’t want web browsers to compete with native apps. I want web browsers to be document viewers that I can trust with anything. I don’t want websites to have access to any sensors on my machine. The good news is it doesn’t matter what Chrome and Mozilla do — I doubt there’s any way that Safari would allow access to this sensor without the user’s explicit permission.