Hi everyone, A couple of weeks ago, this proof of concept attack circled its way around Twitter:
https://krausefx.github.io/whats-the-user-doing/ This simple web app, once loaded on mobile, with a disturbing degree of accuracy, can tell what the user is doing with their phone, for example, using it while walking, lying in bed, etc. The way it does this is through listening to deviceorientation/devicemotion events as defined in < https://www.w3.org/TR/orientation-event/>. We recently discussed an intent to remove the rest of the sensor APIs we currently support, besides these two: < https://groups.google.com/d/msg/mozilla.dev.platform/45XApRxACaM/Fc3XxHgzCAAJ>. These two events are considered to be useful for web applications that want to create experiences that rely on being able to tell the orientation of the device, for example. I would like to start a discussion about how to address the recently surfaced privacy concerns. There are several things that we can do which come to mind: * Restrict dispatching these events to secure contexts. That way we don't potentially leak this information to MITM attackers on the network. * Apply some of the precautions recommended in < https://www.w3.org/TR/2016/CR-orientation-event-20160818/#security-and-privacy>, for example, refrain from displatching these events inside invisible pages or background pages. Also, only fire them in top-level browsing contexts and same-origin nested browsing contexts in order to avoid leaking this information to third-party iframes. And limit the frequency of the event dispatches to once per refresh cycle maximum. * Ensure that we don't leak this information when fingerprinting resisting is turned on for the Tor Browser if we don't already. None of this of course really prevents this abuse in foreground pages served from secure contexts. :-( If you have ideas on what can be done to mitigate this issue, please feel free to discuss. Note that bug 1359076 is currently filed for removing the rest of the sensor APIs besides these ones, so based on the outcome of this thread more bugs need to be filed... Cheers, -- Ehsan _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
