Security/privacy concerns beyond fingerprinting -- data exfiltration

[wseltzer]

While the privacy considerations mention device and user fingerprinting, there are also more specific data exfiltration concerns. Among them:
By manipulating the device's state or screen state and then reading that, a malicious script could cause the exfiltration of data. https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/
By sensing motion (possibly triggered by an alert in another window), a malicious script could learn user inputs, such as PINs. https://blogs.ncl.ac.uk/security/author/b2031864/

[lknik]

Hi,

This may be relevant as well: https://blog.lukaszolejnik.com/additional-security-and-privacy-risks-of-light-sensors/

That said, the current "considerations" section do not focus only on fingerprinting.

We also have additional ALS issue.

[alexshalamov]

In addition to generic mitigation strategies for Security and Privacy concerns, we've made prelimenary analysis of the attack vector identified by @Iknik and have rough estimation of required resolution limits that mitigates the risk.

In addition to that, we are investigating even higher resolution limits (4bit) for some of the sensors.

The PIN skimming attacks and cross-origin communication are addressed in Security and Privacy section and implemented in Chrome.

In addition to integration with Permission API, sensors are only accessible to secure, focused, visible, top-level browsing contexts.

@wseltzer @anssiko Does the specification address raised issue?

[anssiko]

The spec also provides a checklist for extension spec authors at https://w3c.github.io/sensors/#extension-security-and-privacy

@wseltzer, since we haven’t heard from you we assume you’re fine with us closing this issue now. Please let us know if you think otherwise, we are happy to provide further details on request.