Open TPS opened 6 years ago
P.S.: It's now a JS library @ https://github.com/cagataycali/whats-the-user-doing.js for complete script-kiddy convenience. 😶
This is interesting indeed, and it should ask for a permission -- I don't think that blocking it entirely is a good solution.
Let's conduct an experiment.
Add this rule and check how many websites are really trying to exploit it:
#%#(function(){var b=null,e=["devicemotion","deviceorientation"],c=window.addEventListener;window.addEventListener=function(a,d){-1===e.indexOf(a)?c(a,d):(null===b&&(b=confirm("Page tries to access your device's gyro data. Do you grant the permission?")),b?c(a,d):console.log("Denied access to "+a))}})();
For instance, it will ask for your permission on that test page.
It's important to note, that for it to function AG needs to be able to modify pages content, therefore HTTPS filtering is mandatory (only in your browser, though).
Let me check on Android:)
AG user filters?
Yeah, just add this exact rule to the AG user filter
Works for me in Chrome
Nope, nothing, but I'm only using WebView browsers, most LastPass.
HTTPS filtering is disabled for LastPass by default
Doesn't work in Firefox Klar (F-droid), either. Is that whitelisted?
It targets Nougat, hence it does not trust user certificates: https://blog.adguard.com/en/android-nougat-release-and-what-does-it-mean-for-adguard-users/
Most major browsers made an exception for it and opted to trust user certificates (Chrome, Samsung, regular FF if you install the certificate into their cert storage).
However, there're some browsers that don't do it, like Firefox Focus for instance.
Here is the GH issue where we test it: #1304
I'm running Nougat, so does that mean I'm SOL re: HTTPS-filtering? I'd be ok w/ that, anyway, but just to try this POC-fix, I've enabled it.
SOL re: HTTPS-filtering
Mm? Can't parse it:)
SOL = S*** Outta Luck.... Sorry. 😅🤬 I mean, Nougat can't HTTPS-filter, then?
SOL = S*** Outta Luck.... Sorry. =) I mean, Nougat can't HTTPS-filter, then?
It can, but the app dev should allow it by adding special "network security configuration".
Here is a list of major browsers supporting it:
Chrome
Samsung
Firefox (you'll need to tap "install certificate into Firefox" in AG settings)
Opera
Dolphin
Yandex
Meh, I'll just turn HTTPS-filtering off. But if the POC-fix works, maybe include that in the experimental filters & find some beta testers to try it on mobile?
I have it in the user filter myself, we'll see if anybody tries to exploit it.
Here's how it looks like: https://uploads.adguard.com/up04_2xrsf.png
Does it actually grant/deny the permission? The JS seems to just log the decision.
It does
Here's a non-HTTPS site for which I get the function prompt:
http://www.islandpacket.com/opinion/opn-columns-blogs/david-lauderdale/article135539793.html
How do I confirm the block? I don't even see anything in the log: adguard_logs_1709_2248.zip
islandpacket.com
uses it for legit purposes (changes the page layout on device orientation change).
m.starwoodhotels.com
-- not so clear here, the script is heavily obfuscated, I can't understand why does it need it yet.
Changing page layout doesn't need gyro - 1 can get screen/window dimensions to do that. But blocking them makes me happier, anyway.
It detects the portrait<->album transitions, nothing serious really.
Just FYI & OT: If ever translating the change from & to portrait orientation, the other 1 is called landscape in the US.
Folks @ Princeton U. have juiced this up (like on steroids!) & made a patent-pending version, it seems:
https://www.princeton.edu/news/2017/11/29/phones-vulnerable-location-tracking-even-when-gps-services ↓ https://doi.org/10.1109/TMSCS.2017.2751462 ↓ https://drive.google.com/file/d/1HYHM6A3htTv9V3eMs8zEkZK3ILmnk3Vp/view
Whaddy'all think, @AdGuardTeam?
Not that we can do anything with that :(
Another example for the original issue: Any page @
NB: I recommend doing this link on a private browser/tab, or 1 that all tracking data can be wiped, as article accesses are limited monthly.
Yet another fine example @ http://www.bloomberg.com/news/features/2018-09-20/making-marines-into-macgyvers
@ameshkov A further idea for this: Maybe have a toggle/explanation for this in the Stealth module/tab, which just adds your rule above, since that still works fine. Y'all could even default it off.
P.S.: I've added links to Princeton U.'s paper re: their supercharged version of this.
https://github.com/thewhiteh4t/seeker has recently been promoted on GitHub's Explore, which seems to be combo of this & #1477.
_N.B.: I'm really @ a loss as to where to place this RFE (or if AG can/should do anything @ all about it). Also, the amount of accessible different mechanisms available to track anything & everything 1 does grows increasingly ridiculous! 😤_
It's now possible to track what 1 does in the physical realm using simple JavaScript & an overly permissive engine.
Steps to reproduce
POC: https://krausefx.github.io/user.activity Repo: https://github.com/KrauseFx/user.activity Code: https://github.com/KrauseFx/user.activity/blob/master/index.html
Expected behavior
In theory, this should require a separate permission to do, or @ least a prompt before using the gyro sensors.
Actual behavior
No prompt nor block. 😞
Your environment