Mozilla Foundation Security Advisory 2011-45

Inferring keystrokes from motion data

Announced

September 27, 2011

Impact

Moderate

Products

Firefox, SeaMonkey

Fixed in

Firefox 7
SeaMonkey 2.4

Description

University of California, Davis researchers Liang Cai and Hao Chen presented a paper at the 2011 USENIX HotSec workshop on inferring keystrokes from device motion data on mobile devices. Web pages can now receive data similar to the apps studied in that paper and likely present a similar risk. We have decided to limit motion data events to the currently-active tab to prevent the possibility of background tabs attempting to decipher keystrokes the user is entering into the foreground tab.

References

Restrict DeviceMotion to the active document
HotSec '11 Workshop Sessions, "TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion"

Firefox for Desktop

Firefox for iOS

Firefox for Android

Firefox Focus

Firefox blog

Mozilla VPN

Mozilla Monitor

Firefox Relay

Pocket

MDN Plus

Fakespot

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Innovation Projects

Blog

Mozilla Foundation

Mozilla.ai

Mozilla Ventures

Mozilla Advertising