W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

RE: ISSUE-28: What specific attacks are prevented by OS screenshots, should this be recommended against generally?

From: Hill, Brad <bhill@paypal-inc.com>
Date: Mon, 5 Nov 2012 04:36:37 +0000
To: Fred Andrews <fredandw@live.com>, Web Application Security Working Group <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E2DA7F4@DEN-EXDDA-S12.corp.ebay.com>
Screenshots are never sent over the web - that would be an extreme privacy violation.  The comparison is exclusively a local one.  This does possibly provide a side-channel to infer information about the user's screen, but as reports would only be generated in response to non-synthetic UI events, it would be a very low bandwidth channel.   It would be interesting to think systematically about what the exact bandwidth is and what could be practically accomplished with this.

For some context, until I get around to filling in details from the F2F discussion on our issues list, the question here was whether OS-level screenshots provide any protections that cannot be accomplished without their use.  The InContext research used OS-level screenshots to detect attacks involving multiple overlaid browser windows (as opposed to frames), in which users were instructed to "double click" on a target, where the first click closes the topmost window and the second click is then delivered to the window beneath before the user can assess its context.

Giorgio thought that monitoring the timing of paint events could solve this without recourse to OS-level views, and if true, this might greatly simplify issues with accessibility tools, as implementing the pixel comparison heuristic only in terms of browser renders might avoid interference from OS-level tools like screen magnifiers or high-contrast color schemes.

-Brad
From: Fred Andrews [mailto:fredandw@live.com]
Sent: Sunday, November 04, 2012 8:13 PM
To: Web Application Security Working Group
Subject: RE: ISSUE-28: What specific attacks are prevented by OS screenshots, should this be recommended against generally?


Technically, the more information available to a remote service the better they could monitor for 'attacks'.  If a browser level screenshot does not show extension overlays, chrome overlays, tool bar overlays, plugins, etc then attacks from these could be detected.  I presume a browser level screenshot does not include overlays from other OS level processes, so an OS level screenshot could help detect attacks from these.

My personal view is that even the UA presentation should be a private matter for the user and that the 'platform' should not support this as a default.  An OS level screenshot has the potential to expose a lot of information about the user that their may well consider private.

Some users may well want to take an OS level screenshot and send it over the web, but surely the UA UI could make sure this is an intentional opt-in action.

cheer
Fred
> Date: Thu, 1 Nov 2012 16:40:49 +0000
> To: public-webappsec@w3.org<mailto:public-webappsec@w3.org>
> From: sysbot+tracker@w3.org<mailto:sysbot+tracker@w3.org>
> Subject: ISSUE-28: What specific attacks are prevented by OS screenshots, should this be recommended against generally?
>
> ISSUE-28: What specific attacks are prevented by OS screenshots, should this be recommended against generally?
>
> http://www.w3.org/2011/webappsec/track/issues/28
>
> Raised by:
> On product:
>
>
>
>
>
Received on Monday, 5 November 2012 04:37:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 5 November 2012 04:37:08 GMT