[sensors] Security/privacy concerns beyond fingerprinting -- data exfiltration from Wendy Seltzer via GitHub on 2017-04-20 (public-device-apis-log@w3.org from April 2017)

From: Wendy Seltzer via GitHub <sysbot+gh@w3.org>
Date: Thu, 20 Apr 2017 15:42:31 +0000
To: public-device-apis-log@w3.org
Message-ID: <issues.opened-223111518-1492702949-sysbot+gh@w3.org>

wseltzer has just created a new issue for https://github.com/w3c/sensors:

== Security/privacy concerns beyond fingerprinting -- data exfiltration ==
While the privacy considerations mention device and user fingerprinting, there are also more specific data exfiltration concerns. Among them:
 By manipulating the device's state or screen state and then reading that, a malicious script could cause the exfiltration of data. https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/
 By sensing motion (possibly triggered by an alert in another window), a malicious script could learn user inputs, such as PINs. https://blogs.ncl.ac.uk/security/author/b2031864/

Please view or discuss this issue at https://github.com/w3c/sensors/issues/182 using your GitHub account

Received on Thursday, 20 April 2017 15:42:38 UTC