Giter Club home page Giter Club logo

Comments (3)

richtr avatar richtr commented on July 28, 2024

The cited attack vector for Device motion / orientation is the
following paper:

https://www.usenix.org/event/hotsec11/tech/final_files/Cai.pdf.

Given that JavaScript running on a web page already has access to the whole DOM (including e.g. all form input elements) then it requires some malicious third-party JavaScript to be running for this to be of any meaningful risk.

I guess an embedded iframe could use this attack vector though. An alternative solution to requiring HTTPS for device orientation and motion could be to just disallow deviceorientation/devicemotion event
access from any scope other than the top-level document.

Regardless of the outcome of this discussion I agree we should say something about this in the specification.

from deviceorientation.

maryammjd avatar maryammjd commented on July 28, 2024

We actually have informed the geolocation team via email before. It might help if we put it here too.
I am writing to you on behalf of a team of researchers in mobile security from Newcastle University, UK. Based on our recent work, we have identified vulnerabilities in the current privacy/security policies of accessing to mobile orientation and motion sensors via JavaScript codes specified here (http://www.w3.org/TR/orientation-event/).

The results of our work show that it is possible to infer user’s touch actions such as click, scroll, and zoom, as well as his PINs based on the sensor streams accessible through different mainstream mobile browsers. These browsers have implemented this feature according to the W3C device orientation event specification.

A preliminary version of our work is already published here (http://dl.acm.org/citation.cfm?id=2714650). The detailed version of the paper including attacks on user’s PINs is accessible via my homepage (http://homepages.cs.ncl.ac.uk/m.mehrnezhad/) and will be published soon.
We would be very happy to provide you with more information in regards to this problem.
-Maryam Mehr

from deviceorientation.

timvolodine avatar timvolodine commented on July 28, 2024

this has been superseded by issue #24

from deviceorientation.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.