by Martin Brinkmann on January 25, 2019 in Google Chrome – 1 comment
Web browsers support an increasing number of APIs and features, and there does not seem to be an end in sight to that.
Recent additions to Google Chrome, the WebUSB and WebBluetooth APIs, allow sites to interact with devices connected to the device the browser is run on.
While there are certainly cases where this may be useful, it is sometimes the case that the introduction of new features has unforeseen consequences.
In the case of WebUSB and WebBluetooth, it is opening the doors for sophisticated phishing attacks that could bypass hardware-based two-factor authentication devices such as some Yubikey devices.
Security researchers demonstrated recently that the WebUSB functionality of the Google Chrome web browser can be used to interact with two-factor authentication devices directly and not Google Chrome’s API (U2F) designed for that purpose.
The attack bypasses any protection that two-factor authentication devices offer that are susceptible. Devices need to support protocols for connecting to a browser other than through U2F for the attack to work and users need to interact with the phishing site for the attack to be carried out successfully.
Chrome displays a prompt when a site tries to use WebUSB or WebBluetooth. The user needs to allow the request, and type or paste the account’s username and password in designated forms on the site.
While that puts a barrier in place, one that requires user interaction before it can be carried out, it still does highlight that new features may open up new possibilities for abuse.
Users need to pay attention to permission dialogs that the browser displays to them. Attack sites could be designed in a way to provide users with reassurance that such permission prompts are necessary for functionality. While it is unclear how many users would fall for that, especially those using hardware two-factor authentication devices, it is almost certain that some would.
The two open source browser extensions Disable WebUSB and Disable WebBluetooth address the issue directly; they block the APIs in the browser so that they may not be abused. It should be clear that these extensions will block any interaction with these APIs; it does not distinguish between good and bad requests.
If you never use WebUSB or WebBluetooth, you may want to consider installing the extensions for that extra bit of security. The extensions run silently in the background and block any attempt to use the WebUSB or WebBluetooth API.
Now You: Do you disable certain browser features?