In less than one second, a malicious web-page can uniquely fingerprint an Iphone, Pixel 2 or Pixel 3 without any explicit user interaction

Originally published at:

1 Like

Throws phone against the wall “Yeah!!! fingerprint that!!!”

1 Like

But: I didn’t grant firefox permission to read off all my sensors. If it can read off arbitrary sensor data without my permission, that’s a major security breach.

Webpages have no business with my sensors unless they request and are granted permission.

1 Like

isnt that a samsung phone?

iPhone gyroscopes, of all things, can uniquely ID handsets on anything earlier than iOS 12.2

Well now you’re just making it easy for them.

1 Like

Exactly. Why in Cthulu’s name would they allow a web browser to query any sensor on a mobile?


So that google can offer increased value to the dossier they sell around and exploit.

In other words, the malicious web page can generate a unique ID (aka “fingerprint”) of the device. It could then identify that device. But to identify who the device belongs to, that takes other factors, I take it. Useful for recognising repeat visitors despite deleting cookies, perhaps? Maintaining persistence against the wishes of the user?

EDIT: what is really neat is how the report, after going in great detail of how they found out, actually has good suggestions for the manufacturers, which I expect they will investigate and most likely implement.

The simplest reason is so that web developers can make tools that don’t need to be downloaded, that can use cameras for video chat and whatnot without needing to leave the browser. The frontend developer community is all abuzz about how having access to sensors in the latest ECMAScript versions will make it possible to use gestures like shaking, tilting, and so on. Supposedly this will lead to better usability, though I personally have no idea how.

It’s been a sort of battle, that not everything needs to be a native app, yet leaving control of sensor access in the hands of the user, but also not overburdening the device user with a bunch of “XYZ wants to use your motion sensor” toast notifications.

This topic was automatically closed after 5 days. New replies are no longer allowed.