Data leakage via ambient light

8thofSeptember2020

on Privacy in English

1 min read

Yesterday I came across a tweet from Lukasz Olejnik, sharing his work on privacy assessment in web standards – and data leakage via the W3C Ambient Light Sensor API in particular.

TLDR; It deals with a sort of side channel attack: A list of domains is shown on the top of the screen, domain by domain; The background of the page is styled differently (black or white background) depending on whether the link is visited or not; The reflection of this background from the user's facial skin is picked up via the device's ambient light sensors. The user's browsing history can thereby be leaked.

This is a great example of privacy by design!

Check out a video (mp4) of his presentation at the International Workshop on Privacy Engineering – including a POC of the attack – and the paper it's based on.

Tags

Privacy  Privacy Engineering  Security  Security Engineering  Software Development  W3c  Privacy By Design 
Newer post
The legend never dies
Older post
OWASP Top-10 is not a standard