search

w3c / deviceorientation

W3C Device Orientation spec
https://www.w3.org/TR/orientation-event/
Other
49 stars 32 forks source link

Security considerations #13

Closed marcoscaceres closed 8 years ago

marcoscaceres commented 9 years ago

there is a security/privacy consideration around this API being used by a third party to detect key presses. Please see:

https://bugzilla.mozilla.org/show_bug.cgi?id=686401

The spec should make a mention of this.

richtr commented 9 years ago

The cited attack vector for Device motion / orientation is the following paper:

https://www.usenix.org/event/hotsec11/tech/final_files/Cai.pdf.

Given that JavaScript running on a web page already has access to the whole DOM (including e.g. all form input elements) then it requires some malicious third-party JavaScript to be running for this to be of any meaningful risk.

I guess an embedded iframe could use this attack vector though. An alternative solution to requiring HTTPS for device orientation and motion could be to just disallow deviceorientation/devicemotion event access from any scope other than the top-level document.

Regardless of the outcome of this discussion I agree we should say something about this in the specification.

maryammjd commented 8 years ago

We actually have informed the geolocation team via email before. It might help if we put it here too. I am writing to you on behalf of a team of researchers in mobile security from Newcastle University, UK. Based on our recent work, we have identified vulnerabilities in the current privacy/security policies of accessing to mobile orientation and motion sensors via JavaScript codes specified here (http://www.w3.org/TR/orientation-event/).

The results of our work show that it is possible to infer user’s touch actions such as click, scroll, and zoom, as well as his PINs based on the sensor streams accessible through different mainstream mobile browsers. These browsers have implemented this feature according to the W3C device orientation event specification.

A preliminary version of our work is already published here (http://dl.acm.org/citation.cfm?id=2714650). The detailed version of the paper including attacks on user’s PINs is accessible via my homepage (http://homepages.cs.ncl.ac.uk/m.mehrnezhad/) and will be published soon. We would be very happy to provide you with more information in regards to this problem. -Maryam Mehr

timvolodine commented 8 years ago

this has been superseded by issue #24