Bug 977380 (CVE-2016-2813) - VUL-0: CVE-2016-2813: MozillaFirefox: Disclosure of user actions through JavaScript with motion and orientation sensors (MFSA 2016-43)
Summary: VUL-0: CVE-2016-2813: MozillaFirefox: Disclosure of user actions through Java...
Status: RESOLVED INVALID
Alias: CVE-2016-2813
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All All
: P5 - None : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on: 977333
Blocks:
  Show dependency treegraph
 
Reported: 2016-04-27 08:46 UTC by Andreas Stieger
Modified: 2020-04-05 18:21 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-04-27 08:46:39 UTC 
https://www.mozilla.org/en-US/security/advisories/mfsa2016-43/

Security researcher Maryam Mehrnezhad of Newcastle University, UK reported an issue discovered by their research team, which also includes Ehsan Toreini, Siamak F. Shahandashti, and Feng Hao. They found vulnerabilities in Firefox for Android using orientation data and motion sensors on a mobile device's browser accessible through JavaScript. This allows an attacker to infer touch actions on the device through these sensors when orientation events are triggered in the browser, compromising user privacy and including potentially revealing entered PIN code data along with other user activities.

    Risks in accessing to the mobile orientation and motion sensors via JavaScript (CVE-2016-2813)
https://bugzilla.mozilla.org/show_bug.cgi?id=1197901

    TouchSignatures: Identification of User Touch Actions based on Mobile Sensors via JavaScript
http://dl.acm.org/citation.cfm?id=2714650
Comment 1 Andreas Stieger 2016-04-27 08:48:01 UTC 
This issue does not affect desktop versions of Firefox.
Comment 2 Bernhard Wiedemann 2016-04-30 08:01:01 UTC 
This is an autogenerated message for OBS integration:
This bug (977380) was mentioned in
https://build.opensuse.org/request/show/392977 Factory / MozillaFirefox
https://build.opensuse.org/request/show/392978 42.1 / MozillaFirefox
https://build.opensuse.org/request/show/392979 13.2 / MozillaFirefox
https://build.opensuse.org/request/show/392980 13.1 / MozillaFirefox
Comment 3 Bernhard Wiedemann 2016-05-04 06:00:46 UTC 
This is an autogenerated message for OBS integration:
This bug (977380) was mentioned in
https://build.opensuse.org/request/show/393514 Factory / MozillaFirefox
Comment 4 Swamp Workflow Management 2016-05-06 14:08:54 UTC 
openSUSE-SU-2016:1251-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 977333,977373,977375,977376,977377,977378,977379,977380,977381,977382,977384,977386,977388
CVE References: CVE-2016-2804,CVE-2016-2806,CVE-2016-2807,CVE-2016-2808,CVE-2016-2809,CVE-2016-2810,CVE-2016-2811,CVE-2016-2812,CVE-2016-2813,CVE-2016-2814,CVE-2016-2816,CVE-2016-2817,CVE-2016-2820
Sources used:
openSUSE 13.1 (src):    MozillaFirefox-46.0-113.2, mozilla-nss-3.22.3-77.1