Stealing sensitive browser data with the W3C Ambient Light Sensor API

23 Oct 2017 • blog.lukaszolejnik.com

Potentially more troubling is the fact that attackers can extract pixel-perfect representations of cross-origin images and frames: essentially, discover how a given site or image looks for the attacked user (in our demo we focus on images because they are easier to exfiltrate). In extreme cases, for example on sites which use account recovery QR codes for emergency access to an account (https://victim.com/account-code.png), this could allow the attacker to hijack the victim’s account.

Yikes. I’m sure glad smart people are thinking about these problems.

Running Blind

Stealing sensitive browser data with the W3C Ambient Light Sensor API

Related Posts

Cold Weather as proof against Global Warming 30 Jan 2019

Samsung Space Monitor Optimizes Desk Space With Minimalist Design 28 Jan 2019

Using a newer Ruby with Alfred Workflows (rbenv) 28 Jan 2019