Stealing Sensitive Browser Data With the W3C Ambient Light Sensor API

Lukasz Olejnik:

In this post we describe and demonstrate a neat trick to exfiltrate sensitive information from your browser using a surprising tool: your smartphone or laptop’s ambient light sensor. […]

To better compete with native apps, websites might soon be able to access ambient light readings. There is currently an ongoing discussion within a W3C Device and Sensors Working Group whether to allow websites access the light sensor without requiring the user’s permission. Most recent versions of both Chrome and Firefox have implementations of the API.

I don’t want web browsers to compete with native apps. I want web browsers to be document viewers that I can trust with anything. I don’t want websites to have access to any sensors on my machine. The good news is it doesn’t matter what Chrome and Mozilla do — I doubt there’s any way that Safari would allow access to this sensor without the user’s explicit permission.

Tuesday, 24 October 2017