RE: ISSUE-28: What specific attacks are prevented by OS screenshots, should this be recommended against generally? from Fred Andrews on 2012-11-05 (public-webappsec@w3.org from November 2012)

From: Fred Andrews <fredandw@live.com>
Date: Mon, 5 Nov 2012 01:13:02 +0000
To: Web Application Security Working Group <public-webappsec@w3.org>
Message-ID: <BLU002-W11055A8615DC64912F3D8D8AA640@phx.gbl>

Technically, the more information available to a remote service the better they could monitor for 'attacks'.  If a browser level screenshot does not show extension overlays, chrome overlays, tool bar overlays, plugins, etc then attacks from these could be detected.  I presume a browser level screenshot does not include overlays from other OS level processes, so an OS level screenshot could help detect attacks from these.

My personal view is that even the UA presentation should be a private matter for the user and that the 'platform' should not support this as a default.  An OS level screenshot has the potential to expose a lot of information about the user that their may well consider private.

Some users may well want to take an OS level screenshot and send it over the web, but surely the UA UI could make sure this is an intentional opt-in action.

cheer
Fred

> Date: Thu, 1 Nov 2012 16:40:49 +0000
> To: public-webappsec@w3.org
> From: sysbot+tracker@w3.org
> Subject: ISSUE-28: What specific attacks are prevented by OS screenshots, should this be recommended against generally?
> 
> ISSUE-28: What specific attacks are prevented by OS screenshots, should this be recommended against generally?
> 
> http://www.w3.org/2011/webappsec/track/issues/28
> 
> Raised by: 
> On product: 
> 
> 
> 
> 
>

Received on Monday, 5 November 2012 01:13:29 UTC