Mozilla Foundation Security Advisory 2016-43

Disclosure of user actions through JavaScript with motion and orientation sensors

Announced

April 26, 2016

Reporter

Maryam Mehrnezhad

Impact

High

Products

Firefox

Fixed in

Firefox 46

Description

Security researcher Maryam Mehrnezhad of Newcastle University, UK reported an issue discovered by their research team, which also includes Ehsan Toreini, Siamak F. Shahandashti, and Feng Hao. They found vulnerabilities in Firefox for Android using orientation data and motion sensors on a mobile device's browser accessible through JavaScript. This allows an attacker to infer touch actions on the device through these sensors when orientation events are triggered in the browser, compromising user privacy and including potentially revealing entered PIN code data along with other user activities.

This issue does not affect desktop versions of Firefox.

References

Risks in accessing to the mobile orientation and motion sensors via JavaScript (CVE-2016-2813)
TouchSignatures: Identification of User Touch Actions based on Mobile Sensors via JavaScript

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2016-43

Disclosure of user actions through JavaScript with motion and orientation sensors

Description

References