Sensor-based Mobile Web Fingerprinting and Cross-site Input Inference Attacks

Hi public-privacy,

Attached is a workshop paper from the Mobile Security Technologies (MoST) 2016 workshop at IEEE Security & Privacy last month. It may be of interest to our community, as it's suggesting that: 1) motion and orientation data can be used for cross-origin fingerprinting and, perhaps more novel for us, 2) motion and orientation sensors could potentially be used to gather the content typed into a soft-keyboard for a different iframe.

I think perhaps the general risk to be aware of here is that sensor data is inherently cross-origin and so if those APIs are accessible to different origins, they can allow correlation or inference of data in ways that are unexpected.

Thanks,
Nick

Received on Thursday, 23 June 2016 21:43:15 UTC