Comments (3)
The cited attack vector for Device motion / orientation is the
following paper:
https://www.usenix.org/event/hotsec11/tech/final_files/Cai.pdf.
Given that JavaScript running on a web page already has access to the whole DOM (including e.g. all form input elements) then it requires some malicious third-party JavaScript to be running for this to be of any meaningful risk.
I guess an embedded iframe could use this attack vector though. An alternative solution to requiring HTTPS for device orientation and motion could be to just disallow deviceorientation/devicemotion event
access from any scope other than the top-level document.
Regardless of the outcome of this discussion I agree we should say something about this in the specification.
from deviceorientation.
We actually have informed the geolocation team via email before. It might help if we put it here too.
I am writing to you on behalf of a team of researchers in mobile security from Newcastle University, UK. Based on our recent work, we have identified vulnerabilities in the current privacy/security policies of accessing to mobile orientation and motion sensors via JavaScript codes specified here (http://www.w3.org/TR/orientation-event/).
The results of our work show that it is possible to infer user’s touch actions such as click, scroll, and zoom, as well as his PINs based on the sensor streams accessible through different mainstream mobile browsers. These browsers have implemented this feature according to the W3C device orientation event specification.
A preliminary version of our work is already published here (http://dl.acm.org/citation.cfm?id=2714650). The detailed version of the paper including attacks on user’s PINs is accessible via my homepage (http://homepages.cs.ncl.ac.uk/m.mehrnezhad/) and will be published soon.
We would be very happy to provide you with more information in regards to this problem.
-Maryam Mehr
from deviceorientation.
this has been superseded by issue #24
from deviceorientation.
Related Issues (20)
- Broken references in DeviceOrientation Event Specification
- Behavior when event data cannot be provided is underspecified HOT 3
- DeviceOrientationEvent.absolute's value when data cannot be obtained
- Add automation support using WebDriver HOT 8
- Wide review tracker HOT 20
- Accessibility Checklist HOT 2
- Internationalization Checklist HOT 3
- Same origin S&P requirement conflicts with Permissions Policy integration HOT 3
- Guidance needed: how to acquire compass headings in a future-compatible manner? HOT 3
- "Status of this document" section needs to reflect join deliverable status HOT 8
- How to check when permission is denied? HOT 8
- Fix the build HOT 3
- Do we really need 3 permissions policies? HOT 7
- Abstract away underlying sensors HOT 2
- Fully active checks
- Alternative orientation representations? HOT 4
- Combined permission request is problematic HOT 6
- fire an orientation event need to use the dictionary HOT 1
- How reliable is interval? HOT 4
- Goodies from Accelerometer, Motion, Orientation, Gyro specs to bring over
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from deviceorientation.