← Back to context

Comment by tredre3

1 day ago

> It's about the same.

It's absolutely not the same. If I go to a WebUSB page to make my device work, it won't magically have access to all my private files and be able to upload them god knows where or to destroy them. Or access to my entire LAN. Or access to my other peripherals.

Any local driver/software will be able to. (Yes I am familiar with sandboxing technologies, they still aren't the default way to distribute apps outside of iOS/Android).

3 comments

tredre3

Reply
bigfishrunning  17 hours ago

Yeah, but if you request webUSB access maliciously to some random device, an unsavvy user is likely to click ok without thinking about it. Its still very much a viable attack vector.

  • toraway  2 hours ago 

      > you request webUSB access maliciously to some random device
  > an unsavvy user is likely to click ok

    That's not how WebUSB works, the user always has to pick the device themselves from a list. The list cannot have a device pre-selected, and the "Connect" button is greyed out until the user makes a choice themselves.

    The default "wtf? get this out of my face" path for a confused user is "Cancel".

    The list can be filtered with vendorId filters defined ahead of time, but even if only a single device qualifies the user still has to chose to click it to enable the "Connect" button.

    Once a device has been selected, it is considered "paired" to that specific site and the site can see its presence if available on future page loads. The user can revoke access/"unpair" from the site permissions button.

    See example below of the pairing process:

    https://imgur.com/a/HkpHBW5