Hyderabad: A feature that enables websites to track devices’ battery power could be exploited as a security loophole, researchers have warned. Known as the battery status API — or application program interface — the HTML 5-based feature allows websites to figure out how much battery power a visitor has left in his or her smartphones or laptops.
The feature is currently supported by Firefox, Opera and Chrome browsers. It was introduced in 2012 by the World Wide Web Consortium with the aim of helping websites conserve devices’ battery life.
“HTML5 Battery Status API enables websites to access the battery state of a mobile device or a laptop. Using the API, websites can check the battery level of a device and use this information to switch between energy-saving or high-performance modes. All the information exposed by the Battery Status API is available without users’ permission,” the paper read.
But now, four French and Belgian security researchers have raised doubts about the feature and claim it can be used to track users’ browsers.
“Users who try to revisit a website with a new identity may use browsers’ private mode or clear cookies and other client-side identifiers. When consecutive visits are made within a short interval, the website can link users’ new and old identities by exploiting battery level and charge/discharge times. The website can then reinstantiate users’ cookies and other client-side identifiers, a method known as respawning,” the paper said.
In simpler terms, the data gathered to determine battery life can be used to create ‘IDs’, which will enable entities to track users across the web.
