W3C home > Mailing lists > Public > public-privacy@w3.org > April to June 2016

Sensor-based Mobile Web Fingerprinting and Cross-site Input Inference Attacks

From: Nick Doty <npdoty@ischool.berkeley.edu>
Date: Thu, 23 Jun 2016 14:41:51 -0700
Message-Id: <B58052B5-A4C4-4475-9A1A-64978004337A@ischool.berkeley.edu>
To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Hi public-privacy,

Attached is a workshop paper from the Mobile Security Technologies (MoST) 2016 workshop at IEEE Security & Privacy last month. It may be of interest to our community, as it's suggesting that: 1) motion and orientation data can be used for cross-origin fingerprinting and, perhaps more novel for us, 2) motion and orientation sensors could potentially be used to gather the content typed into a soft-keyboard for a different iframe.

I think perhaps the general risk to be aware of here is that sensor data is inherently cross-origin and so if those APIs are accessible to different origins, they can allow correlation or inference of data in ways that are unexpected.

Thanks,
Nick




Received on Thursday, 23 June 2016 21:43:15 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 23 June 2016 21:43:16 UTC