[tor-bugs] #21609 [Applications/Tor Browser]: Investigate device sensor code for possible information leaks

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed May 3 15:02:18 UTC 2017 

#21609: Investigate device sensor code for possible information leaks
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff52-esr, tbb-7.0-must-alpha, tbb-   |  Actual Points:
  fingerprinting, TorBrowserTeam201705           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor4
-------------------------------------------------+-------------------------

Comment (by mcs):

 I did some experimentation using the following JS snippets within the
 developer console:
 {{{
 window.addEventListener("deviceorientation", aEvent =>
 console.log(aEvent));
 window.addEventListener('devicelight', aEvent => console.log(aEvent));
 }}}
 On a MacBook Pro, `devicelight` events are generated but only after I
 changed `device.sensors.enabled` to true and restarted the browser.
 `deviceorientation` events are not generated; I think those require an
 accelerometer.

 There is a Boolean pref `device.sensors.test.events` that you can set to
 `true` to cause a fake sensor event to be generated (that happens the
 first time a sensor-related event listener is registered). This also has
 no effect if `device.sensors.enabled = false`.

 On a Lenovo convertible laptop running Windows 10 (which supports rotation
 to all four screen orientations) I could not generate either event, even
 when in tablet mode. In Chrome I see one `deviceorientation` event but it
 does not contain useful data.

 I am confident that all of these events are disabled by
 `device.sensors.enabled = false`. Search for mEnabled within
 `dom/system/nsDeviceSensors.cpp`.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21609#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list