Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security The Internet Chrome Firefox Google Mozilla Software Hardware

Ambient Light Sensors Can Be Used To Steal Browser Data (bleepingcomputer.com) 37

An anonymous reader writes: "Over the past decade, ambient light sensors have become quite common in smartphones, tablets, and laptops, where they are used to detect the level of surrounding light and automatically adjust a screen's intensity to optimize battery consumption... and other stuff," reports Bleeping Computer. "The sensors have become so prevalent, that the World Wide Web Consortium (W3C) has developed a special API that allows websites (through a browser) to interact with a device's ambient light sensors. Browsers such as Chrome and Firefox have already shipped versions of this API with their products." According to two privacy and security experts, Lukasz Olejnik and Artur Janc, malicious web pages can launch attacks using this new API and collect data on users, such as URLs they visited in the past and extract QR codes displayed on the screen. This is possible because the light coming from the screen is picked up by these sensors. Mitigating such attacks is quite easy, as it only requires browser makers and the W3C to adjust the default frequency at which the sensors report their readings. Furthermore, the researcher also recommends that browser makers quantize the result by limiting the precision of the sensor output to only a few values in a preset range. The two researchers filed bug reports with both Chrome and Firefox in the hopes their recommendations will be followed.
This discussion has been archived. No new comments can be posted.

Ambient Light Sensors Can Be Used To Steal Browser Data

Comments Filter:
  • by Anonymous Coward on Friday April 21, 2017 @01:07AM (#54274417)

    ... said no-one, ever.

  • by Anonymous Coward

    It's a completely soldout.

  • by Gravis Zero ( 934156 ) on Friday April 21, 2017 @04:07AM (#54274833)

    What we're seeing here is the result of feature creep being integrated into standards because the W3C is financed by donations of corporations. As a result they have lost their spine and the ability to say no to bad ideas. So now, the inmates are running the asylum. [github.com]

    • Love your response to the blather about Code of Ethics and Professional Conduct, which was veiled attempt to get you to shut the hell up and go away.

      "Your social justice imperative has been noted."

  • by Anonymous Coward

    My nice old smartphone (note4) didn't have the API - so it is safe. I has a light sensor controlling the screen though. Web browsers don't need the ability. Tried several browsers too.

    My PC reports light sensor readings - but failed to record their blinking mess. Not surprising, the sensor does not face the screen but the room. So of course it won't notice the blinking screen, the office is lit by lamps much more powerful than a white screen. Even holding up a white paper did not reflect enough light back t

  • I wonder if you can drive them nuts with a random homemade ambient light stobe. Or aim the sensor with another computer, which is also browsing.
  • Access to a sensor, any sensor, enables information to leak. Microphone, camera, ambient light sensor, accelerometer, thermometer, battery level... These can all be used to glean some amount of information beyond what they're explicitly intended to gather.

    Browser manufacturers, KNOCK THAT SHIT OFF! Quit giving websites access to everything. If there seems to be a good reason to give sensor data, average it over time or fuzz it to reduce malicious use. And give the user control over which sensors you re

%DCL-MEM-BAD, bad memory VMS-F-PDGERS, pudding between the ears