Firefox Cuts Website Access to Battery API That Allowed Sites to Track Users

Rafia Shaikh
Posted Nov 1, 2016
39Shares
Share Tweet Submit

Firefox is dropping a feature that lets websites access the Battery Status API to see how much battery life a visiting machine has left. Mozilla decided to cut this website access in Firefox 52 following security research showing that it could be used to track users browsing habits.

Firefox 52 drops support to battery API that allows sites to track users

Mozilla introduced Battery Status API in 2012 to allow websites, apps and extensions to access the API to learn about the device’s battery charge and discharge times, whether the device is plugged in, how long it will last, and remaining battery level. This API was designed to allow websites to offer less energy-intensive versions of their services to visitors with little battery left.

But, the browser grants access to this information directly, without any permission request process that could prevent any site from having this access:

The API defined in this specification is used to determine the battery status of the hosting device. The information disclosed has minimal impact on privacy or fingerprinting, and therefore is exposed without permission grants. For example, authors cannot directly know if there is a battery or not in the hosting device.

Back in 2015, security researchers revealed that it was easy to abuse the API to track browsing on the internet. One of the major concerns shared by researchers included how a website can link a user in a private browsing mode.

“Users who try to revisit a website with a new identity may use browsers’ private mode or clear cookies and other client side identifiers. When consecutive visits are made within a short interval, the website can link users’ new and old identities by exploiting battery level and charge/discharge times.” Researchers warned [PDF] that “the website can then re-instantiate users’ cookies and other client side identifiers, a method known as respawning.”

[Patched]: Mozilla Rushes to Patch Firefox 0-Day Attacking Tor Users in the Wild

To improve user privacy while using Firefox, Mozilla has now decided to cut access to the feature. Starting with Firefox 52, websites are not be able to access the API which means it won’t be used for tracking purposes. The change affects both the desktop and mobile versions of the Firefox browser. However, the API will remain open to extensions and Firefox itself.

Share Tweet Submit