Sensors used to detect the level of ambient light can be used to steal browser data, according to privacy expert Lukasz Olejnik.

Over the past decade, ambient light sensors have become quite common in smartphones, tablets, and laptops, where they are used to detect the level of surrounding light and automatically adjust a screen's intensity to optimize battery consumption... and other stuff.

The sensors have become so prevalent, that the World Wide Web Consortium (W3C) has developed a special API that allows websites (through a browser) to interact with a device's ambient light sensors.

Browsers such as Chrome and Firefox have already shipped versions of this API with their products.

Google doesn't want browsers asking for ALS permissions

Last month, in a discussion of the W3C Generic Sensor specification, the Google team proposed that ambient light sensors (ALS), together with gyroscope, magnetometer, and accelerometer sensors, should be exempt from the browser permissions system. In other words, websites using these sensors won't have to ask users for explicit permission before accessing the any of these four sensors.

Google's opinion is that by removing this permission requirement, browsers will be on par with mobile applications, which also don't have to ask the user for permission before accessing these sensors.

This proposal didn't go well with Olejnik and fellow researcher Artur Janc, who in a series of demos, have proved that light radiating from the device's screen, is often picked up by the ambient light sensors.

A determined attacker that can lure victims to his site, or one that can insert malicious code on another site, can determine which URLs a user has visited in the past. The whole attack relies on using different colors for normal and previously visited links, which produce a small light variation that ambient light sensors can pick up.

Furthermore, Olejnik and Janc also proved that ambient light sensors can steal QR codes, albeit this attack takes longer to perform.

Right now, ambient light sensors readings are blocked in Chrome behind settings flags, as the API is experimental, but they're supported in Firefox via DeviceLight events.

It is possible to mitigate attacks

According to Olejnik, mitigating this attack is simple, as it only requires browser makers and the W3C to adjust the default frequency at which the sensors report their readings. Furthermore, the researcher also recommends that browser makers quantize the result by limiting the precision of the sensor output to only a few values in a preset range.

Both attacks Olejnik and Janc devised take from seconds to minutes to execute. With these mitigations in place, the attacks wouldn't be stopped, but they would take even longer to perform, making any of them impractical in the real world. In the long run, Olejnik and Janc hope to see access to these sensors behind a dedicated browser permission.

The two researchers filed bug reports with both Chrome and Firefox in the hopes their recommendations will be followed.

Olejnik has previously showed how battery readouts can allow advertisers to track users online, how the new W3C Web Bluetooth API is riddled with privacy holes, and how the new W3C Proximity Sensor API allows websites and advertisers to query the position of nearby objects.