A team of security researchers has uncovered that mobile sites can be abused to leak sensitive sensors data. The report called “The Web’s Sixth Sense” reveals the privacy implications and how exactly this can be used by malicious users.
Mobile Sites Can Expose Smartphone Sensors Data
Mobile sites can be abused to infect devices users using various ways — dangerous web elements, virus download scripts and cryptocurrency miners, but a new report sheds light on a new strategy. According to a team of security experts and their recently published paper called “The Web’s Sixth Sense” the sites can be used to leak sensors data.
The web browsers on both Android and iOS require that the appropriate permissions for accessing sensors data is granted, this functionality is used to rotate the screen when the device is turned and for example. What’s more interesting is that they also allow developers access to the raw sensors data. This turns out to be a problematic area as various sites take advantage of this fact. A look at the top 100 000 sites as ranked by Alexa shows that a total of 3695 of them incorporate web sites scripts that in some way “tap” the sensors data.
One of the most popular cases is the one associated with Google Maps usage — if it is opened in a web browser window it will request location data access. When granted this will additionally allow other sensors data to be collected — motion, lighting, proximity and etc for which there is no specific mechanism for notifying users or asking for their collection. In reality their collection is invisible to the users.
Malicious users can make use of such data in various scenarios — the ambient light detection may be used to check for web browsing habits while the motion sensors data can deduce PIN number entry and other user activities. The researchers deduce in their paper that if not fixed hackers can developer other mechanisms as well. They looked at nine browsers and analyzed how they handle sensors data: Edge, Safari, Firefox, Brave, Focus, Chrome, UC Browser and Opera Mini. The data shows that only the mobile version of Firefox request additional permissions to access the light and proximity sensors. What’s more interesting is the fact that most of the popular tracking and ad blockers didn’t reliably block the scripts that request sensors data.
For more information on the topic you can read the whole paper.