Security

Apple, Mozilla kill API to deplete W3C battery-snitching standard

Idea for low-powered HTML adjustments abandoned after security implications explored

By Richard Chirgwin

21 SHARE

Apple and Mozilla are leading the charge away from a W3C standard, because it's too much of a privacy risk.

The Register reported the battery-snitching capability in August 2015.

The W3C's idea was that if HTML included properties to look at the state of user's batteries, it could de-cruft the Web pages it served if your phone was on the last 20 per cent of charge.

However, the 2015 paper (PDF) published at the International Association for Cryptologic Research (IACR) highlighted the privacy implications of battery-snitching. The paper pointed out that the Battery Status API provided an effective way to fingerprint users.

A paper (PDF) presented at late October's Association of Computing Machinery's Conference on Computer and Communications Security conference bore that out, with the authors demonstrating that simple scripts can exploit the API.

One of the authors of the 2015 IACR paper, Lukasz Olejnik (whose work includes highlighting the serious privacy risks posed by the Bluetooth Web API) has now blogged that the Battery Status API is being pulled from Firefox.

The change will be effective as of Firefox 52.

It might not stop there. As Olejnik also notes, it looks like it will be removed from WebKit as well – even before it was fully-implemented in Safari. ®

Sign up to our NewsletterGet IT in your inbox daily

21 Comments

More from The Register

Google leaps on the platform formerly known as Firefox with $22m splurge for KaiOS

The great feature phone revival rolls on

Your RSS is grass: Mozilla euthanizes feed reader, Atom code in Firefox browser, claims it's old and unloved

The Live bookmarks, preview features, that is

NSA had NFI about opsec: 2016 audit found laughably bad security

Unlocked racks. No 2FA. No access control lists. No wonder Snowden got away with it

Google releases lite PC-snooper, 'cos full mobile management is hard

‘Endpoint Verification’ extension reports basics of devices’ security posture

Have I been pwned, Firefox? OK, let's ask its Have I Been Pwned tool

Mozilla's Firefox Monitor makes a hash of email queries

Chrome, Firefox pull very unstylish Stylish invasive browser plugin

Add-on made sites look pretty while getting away with ugly data slurpage

Mozilla changes Firefox policy from ‘do not track’ to ‘will not track’

Browser will stop asking nicely for privacy protections

Get rich with Firefox or *(int *)NULL = 0 trying: Automated bug-bounty hunter build touted

Earn $$$s reporting flaws even if you're too busy or bored

Don't fear 1337 exploits. Sloppy mobile, phishing defenses a much bigger corp IT security threat

AppSec EU DARPA-funded white hat emits timeless advice

Get the FTP outta here, says Firefox

Apparently someone still uses src to suck content into web pages from FTP servers