Comment by bigfishrunning
17 hours ago
Yeah, but if you request webUSB access maliciously to some random device, an unsavvy user is likely to click ok without thinking about it. Its still very much a viable attack vector.
17 hours ago
Yeah, but if you request webUSB access maliciously to some random device, an unsavvy user is likely to click ok without thinking about it. Its still very much a viable attack vector.
That's not how WebUSB works, the user always has to pick the device themselves from a list. The list cannot have a device pre-selected, and the "Connect" button is greyed out until the user makes a choice themselves.
The default "wtf? get this out of my face" path for a confused user is "Cancel".
The list can be filtered with vendorId filters defined ahead of time, but even if only a single device qualifies the user still has to chose to click it to enable the "Connect" button.
Once a device has been selected, it is considered "paired" to that specific site and the site can see its presence if available on future page loads. The user can revoke access/"unpair" from the site permissions button.
See example below of the pairing process:
https://imgur.com/a/HkpHBW5