HTML5 privacy hole left users open to tracking for three years


A feature of HTML5 that allows sites to detect battery life on a visitor’s device can also be used to track behaviour, a piece of research has revealed.

Analysts from France and Belgium made the discovery while investigating the battery power API, used on Firefox, Chrome and Opera.

« Our study shows that websites can discover the capacity of users’ batteries by exploiting the high precision readouts provided by Firefox on Linux, » the authors write in a paper published online, having focussed their efforts on Mozilla’s browser. « The capacity of the battery, as well as its level, expose a fingerprintable surface that can be used to track web users in short time intervals. »

The tracking can occur by looking at the actual battery life readings delivered by the API, which was designed to help save user’s power by letting sites know when to switch to energy-saving modes. It turns out, the API can deliver an incredibly specific reading of the battery status every 30 seconds, including battery life remaining in seconds and percentage remaining. Considering the change will be minor across those 30 seconds, the unique combination of these two readings can be described as a fingerprint for a specific user, enabling sites to track them whether or not they are using privacy settings.

Don’t miss

Zero-day OS X bug revealed in July already exploited in the wild

« When consecutive visits are made within a short interval, the website can link users’ new and old identities by exploiting battery level and charge/discharge times. The website can then reinstantiate users’ cookies and other client side identifiers, a method known as respawning.

« Although this method of exploiting battery data as a linking identifier would only work for short time intervals, it may be used against power users who can not only clear their cookies but can go to great lengths to clear their evercookies. »

The team did rule out the risk of long-term tracking, however, considering a user’s behaviour patterns and the times they choose to charge their device will vary so widely and frequently. 

They also found that the risk was far higher for devices fitted with old or used batteries, « as the battery capacity may potentially serve as a tracking identifier ». They suggest reducing the « fingerprintable surface of the API » so that it may continue to work effectively, without leaving the user open to tracking.

The bug has already been drawn to Mozilla’s attention, after it was discovered Firefox’s implementation of the API specifically provided an opening for tracking. The company has heeded the warning, and swiftly implemented the proposed improvements.

According to the paper the gap in privacy has been wide open since 2012, when Mozilla itself discussed the potential vulnerability. When the standard went live, the World Wide Web Consortium specs described the API and its impact thus: « The information disclosed has minimal impact on privacy or fingerprinting, and therefore is exposed without permission grants. » Meaning, the user was none the wiser anything was happening, up until now, with the consortium reasoning that permissions were not necessary.

Despite the concerns raised in 2012, at the time — and up until this paper was published — nothing was done. So for three years, there was plenty of potential for sites to be tracking user behaviour, whether they switched privacy settings or VPNs on. There is no mention of how the authors followed up with either Chrome or Opera — the main experiment focussed on Firefox on Linux, so there may be further potential for abuse elsewhere. has contacted the authors to find out, and will update this article if we hear back.

Laisser un commentaire