Firefox disables loophole that allows sites to track users via battery status

Firefox disables loophole that allows sites to track users via battery status

Mozilla Firefox is dropping a feature that lets websites see how much battery life a visitor has left, following research showing that it could be used to track browsers. The feature was intended to allow websites to offer less energy-intensive versions of their sites to visitors.

The feature, called the battery status API, allows websites to request information about the capacity of a visitor’s device, such as whether or not it’s plugged in and charging, how long it will last until it is empty, and the percentage of charge remaining.

It was intended to allow websites to offer less energy-intensive versions of their sites to visitors with little battery power left: for instance, a mapping site could download less information, or a social network could disable autoplaying video.


But in 2015, the Guardian reported that researchers had discovered that it was easy to abuse the feature to track browsing on the internet.

For instance, if a user visits a website in private browsing mode using a VPN, the website should not be able to link them to a subsequent visit with private browsing and the VPN off. But the researchers warned that that may no longer work: “Users who try to revisit a website with a new identity may use browsers’ private mode or clear cookies and other client side identifiers. When consecutive visits are made within a short interval, the website can link users’ new and old identities by exploiting battery level and charge/discharge times. The website can then re-instantiate users’ cookies and other client side identifiers, a method known as respawning.”

A year later, the Guardian reported that the hypothetical abuse had became a reality, with two security researchers from Princeton University discovering tracking scripts being used in the wild to “fingerprint” a specific device, allowing them to continuously identify it across multiple contexts.
the book of giants

That final discovery gave the developers of Mozilla’s Firefox browser the motivation to remove the functionality from the program. Firefox was one of three browsers that brought the battery status API to the public, along with Chrome and Opera. The feature was finally removed on 27 October, a year and five months after the first concerns were raised.

Lukasz Olejnik, a London-based security and privacy consultant and a researcher at UCL, was one of the four researchers who originally discovered the potential for abuse of the battery status API. He says he’s “very happy to see the impact made by my security and privacy works”.

“I did not expect a web browser to completely purge an API, it’s unprecedented. I am not aware of any similar development in the web’s history,” he said.

Olejnik was sanguine about the delay in taking action, saying “I think that what matters most is the outcome. We suggested some changes in 2015, and expanded mitigation strategies were proposed this year. Mozilla has decided to completely remove the functionality. The fact that this is happening due to privacy concerns is ultimately important. We went a long way with understanding the importance of privacy, user control and awareness.”.

While Mozilla is currently the only browser vendor to have actively removed the Battery Status API, others have taken note of the same problems. Developers of Webkit, the open-source browser on which Apple’s Safari is based, have also proposed removing code supporting the API from their project. But unlike Firefox, Safari never shipped the API to end users.

The Guardian has asked Google, Opera and Mozilla for comment. Apple has declined to comment.

Article by Alex Hern | Source: MSN.com

Money Phone

top 10 cloud storage apps for android october 2016

50 common windows 10 problems

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *