Malicious JavaScript Code Can Steal PIN Codes via Motion Sensors

Malicious JavaScript Code Can Steal PIN Codes via Motion Sensors

We may earn a commission for purchases made using our links.

The amount of data stored and accessible from our smartphones and tablets is generally ignored by most people. However, this becomes a treasure trove for hackers and security researchers and this can end up producing some eye-opening discoveries. This latest attack point was actually reported to the Chromium team back in 2015 and focused on the ability for malicious JavaScript code to access mobile orientation and motion sensors directly from the browser.

At a first glance, that doesn’t sound malicious at all. There are a number of websites that use this motion sensor data to let you play a game on your smartphone and even viewing spherical videos. You can see a sample test of a browser using your motion sensing data (that isn’t malicious) on this demo page right here. However, security researchers have been able to come up with an algorithm that uses the motion sensing data to actually guess your PIN number.

That’s right, the researchers that came up with the PINLogger.js code says their tests of fifty 4-digit PINs saw a success rate of 74% on the first attempt at guessing. This success rate increases to 86% on the second attempt, and then increases again to 94% on the third attempt. The malicious code is loaded in an iframe so when the user goes to a different tab (say a banking application or banking website), the code is still loaded in the minimized tab.

This allows the attacker to collect data on the motion sensors and can then use that data to figure out your PIN codes. The Chromium team has classified this as a low severity security threat, and the bug report it still open to this day. As of March 30th the team says they’re concerned about implementing some limitations as it would impact “embedded spherical videos, embedded maps using orientation data, etc.”

In April they said they would be holding out on changing anything until there’s indication about an active attack, there’s proof the attack can be used to detect keystrokes, or they can come up with a solution that doesn’t break legitimate use cases like the spherical videos and embedded maps.

Via: Ars Technica Source: International Journal of Information Security