- From: Wojciech Masłowski <wmaslowski@opera.com>
- Date: Thu, 18 Aug 2011 13:05:14 +0200
- To: Dominique Hazael-Massieux <dom@w3.org>
- CC: "public-geolocation@w3.org" <public-geolocation@w3.org>
W dniu 2011-08-18 12:20, Dominique Hazael-Massieux pisze: > Le jeudi 18 août 2011 à 10:26 +0200, Wojciech Masłowski a écrit : >> http://www.newscientist.com/article/mg21128255.200-smartphone-jiggles-reveal-your-private-data.html >> >> TLDR: It is possible to construct a keylogger using only accelerometer >> data. Maybe we should think about revising security policy for device >> orientation events and force UA to ask user if he wants to allow site to >> use orientation events. > Isn't it that this is only problematic if a Web page wants to keep > getting orientation events when not visible? Maybe permission would need > to be asked only in cases a Web page needs to get these events even when > not visible? > > Dom > I don't think so. Firstly user can use multiple other applications while having a malicious site opened and visible. Apart from that it would seems rather weird to ask for permission to monitor orientation events as you for example switch the tab. At least I as a user would be quite surprised. Original research paper: http://regmedia.co.uk/2011/08/17/touchlogger_research_paper.pdf -- Wojciech Masłowski Engeneering CORE Wrocław Opera Software ASA http://www.opera.com
Received on Thursday, 18 August 2011 11:06:19 UTC