In less than one second, a malicious web-page can uniquely fingerprint an Iphone, Pixel 2 or Pixel 3 without any explicit user interaction

doctorow · May 22, 2019, 5:50pm

Originally published at: https://boingboing.net/2019/05/22/unique-device-fingerprints.html

…

CanadianBeaver · May 22, 2019, 7:15pm

Throws phone against the wall “Yeah!!! fingerprint that!!!”

LDoBe · May 22, 2019, 7:21pm

But: I didn’t grant firefox permission to read off all my sensors. If it can read off arbitrary sensor data without my permission, that’s a major security breach.

Webpages have no business with my sensors unless they request and are granted permission.

DasKleineTeilchen · May 22, 2019, 8:52pm

isnt that a samsung phone?

FGD135 · May 22, 2019, 9:13pm

iPhone gyroscopes, of all things, can uniquely ID handsets on anything earlier than iOS 12.2

mocon · May 22, 2019, 10:09pm

Well now you’re just making it easy for them.

Hylyx · May 23, 2019, 2:49am

Exactly. Why in Cthulu’s name would they allow a web browser to query any sensor on a mobile?

LDoBe · May 23, 2019, 2:53am

So that google can offer increased value to the dossier they sell around and exploit.

fnordius · May 23, 2019, 12:44pm

In other words, the malicious web page can generate a unique ID (aka “fingerprint”) of the device. It could then identify that device. But to identify who the device belongs to, that takes other factors, I take it. Useful for recognising repeat visitors despite deleting cookies, perhaps? Maintaining persistence against the wishes of the user?

EDIT: what is really neat is how the report, after going in great detail of how they found out, actually has good suggestions for the manufacturers, which I expect they will investigate and most likely implement.

fnordius · May 23, 2019, 12:52pm

The simplest reason is so that web developers can make tools that don’t need to be downloaded, that can use cameras for video chat and whatnot without needing to leave the browser. The frontend developer community is all abuzz about how having access to sensors in the latest ECMAScript versions will make it possible to use gestures like shaking, tilting, and so on. Supposedly this will lead to better usability, though I personally have no idea how.

It’s been a sort of battle, that not everything needs to be a native app, yet leaving control of sensor access in the hands of the user, but also not overburdening the device user with a bunch of “XYZ wants to use your motion sensor” toast notifications.

doctorow · May 27, 2019, 5:51pm

This topic was automatically closed after 5 days. New replies are no longer allowed.

Topic		Replies	Views
Chaos Computer Club claims it can unlock iPhones with fake fingers/cloned fingerprints boing	90	8884	September 27, 2013
More details, new video showing Iphone fingerprint reader pwned by Chaos Computer Club boing	37	5146	September 29, 2013
Cops have a secret, unaccountable system for tracking you by your cellphone, and they abuse it like crazy boing	34	3522	May 17, 2018
Malicious websites that hacked into iPhones over 2-year period targeted Uyghur Muslims in China: Report boing	3	776	September 7, 2019
Hacking a phone's fingerprint sensor in 15 mins with $500 worth of inkjet printer and conductive ink boing	30	3399	March 11, 2016

In less than one second, a malicious web-page can uniquely fingerprint an Iphone, Pixel 2 or Pixel 3 without any explicit user interaction

iPhone gyroscopes, of all things, can uniquely ID handsets on anything earlier than iOS 12.2

Related topics