Data leakage via ambient light

Yesterday I came across a tweet from Lukasz Olejnik, sharing his work on privacy assessment in web standards – and data leakage via the W3C Ambient Light Sensor API in particular.

TLDR; It deals with a sort of side channel attack: A list of domains is shown on the top of the screen, domain by domain; The background of the page is styled differently (black or white background) depending on whether the link is visited or not; The reflection of this background from the user's facial skin is picked up via the device's ambient light sensors. The user's browsing history can thereby be leaked.

This is a great example of privacy by design!

Check out a video (mp4) of his presentation at the International Workshop on Privacy Engineering – including a POC of the attack – and the paper it's based on.

Newer post
The legend never dies
Older post
OWASP Top-10 is not a standard