Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ambient Light Sensors Can Be Used To Steal Browser Data (bleepingcomputer.com)

Posted by BeauHD on from the come-to-light dept.

An anonymous reader writes: "Over the past decade, ambient light sensors have become quite common in smartphones, tablets, and laptops, where they are used to detect the level of surrounding light and automatically adjust a screen's intensity to optimize battery consumption... and other stuff," reports Bleeping Computer. "The sensors have become so prevalent, that the World Wide Web Consortium (W3C) has developed a special API that allows websites (through a browser) to interact with a device's ambient light sensors. Browsers such as Chrome and Firefox have already shipped versions of this API with their products." According to two privacy and security experts, Lukasz Olejnik and Artur Janc, malicious web pages can launch attacks using this new API and collect data on users, such as URLs they visited in the past and extract QR codes displayed on the screen. This is possible because the light coming from the screen is picked up by these sensors. Mitigating such attacks is quite easy, as it only requires browser makers and the W3C to adjust the default frequency at which the sensors report their readings. Furthermore, the researcher also recommends that browser makers quantize the result by limiting the precision of the sensor output to only a few values in a preset range. The two researchers filed bug reports with both Chrome and Firefox in the hopes their recommendations will be followed.

2 of 37 comments (clear)

  1. Feature creep in standards. by Gravis+Zero · · Score: 5, Informative

    What we're seeing here is the result of feature creep being integrated into standards because the W3C is financed by donations of corporations. As a result they have lost their spine and the ability to say no to bad ideas. So now, the inmates are running the asylum.

    --
    Anons need not reply. Questions end with a question mark.
  2. Re:yea right by Errol+backfiring · · Score: 3, Informative

    In a way you would be turning your light sensor into a light pen. Yes, this is grandpa speaking, who can still remember how beautiful his Commodore 64 was with a light pen. In effect, the screen is built up of horizontal lines that are "painted" sequentially. So the light pen would detect a light peak, send a signal to the computer, who looked at the where the video chip was currently painting. That way, the computer "knew" where you pointed the light pen at.

    So yes, I can totally imagine that you would be able to read a QR code from your own screen that way.

    --
    Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!