Stealing sensitive browser data with the W3C Ambient Light Sensor API
23 Oct 2017 • blog.lukaszolejnik.comPotentially more troubling is the fact that attackers can extract pixel-perfect representations of cross-origin images and frames: essentially, discover how a given site or image looks for the attacked user (in our demo we focus on images because they are easier to exfiltrate). In extreme cases, for example on sites which use account recovery QR codes for emergency access to an account (https://victim.com/account-code.png), this could allow the attacker to hijack the victim’s account.
Yikes. I’m sure glad smart people are thinking about these problems.