Browser-laptop: disable webusb API

Created on 2 Mar 2018  路  9Comments  路  Source: brave/browser-laptop

Test plan

See https://github.com/brave/browser-laptop/pull/13375

Original issue description

webusb can be used to bypass yubikey phishing protection at the moment: https://www.wired.com/story/chrome-yubikey-phishing-webusb/ -> we should disable navigator.usb

@flamsmark also suggested disabling navigator.bluetooth

maybe also https://developer.mozilla.org/en-US/docs/Web/API/Navigator/sendBeacon ?

Qchecked-Linux Qchecked-Win64 Qchecked-macOS Qtest-plan-specified privacy release-noteinclude security
Source
picture diracdeltas

All 9 comments

we actually don't support bluetooth yet AFAIK. https://googlechrome.github.io/samples/web-bluetooth/device-info.html?allDevices=true fails without showing a prompt in Brave.

diracdeltas picture diracdeltas on 2 Mar 2018

Hello

I am a developer of Trezor - a cryptocurrency hardware wallet - and in next iteration of our products, we will support WebUSB.

I have tested WebUSB version of Trezor, and WebUSB doesn't actualy work in Brave. (Tested on Linux.)

navigator.usb is defined, but navigator.usb.getDevices() does not show the device picker, so the web never gets the permissions.

Our web wallet detects whether webusb is defined via navigator.usb, if it is not defined, we offer user to install a local server which browser then connects to. Anyway, this detection is broken in Brave - navigator.usb is defined, yet navigator.usb.getDevices() never shows anything.

So please, either disable it (by setting navigator.usb to null) or fix it. Right now, webUSB is enabled, but broken. Which is actually good security-wise (nobody can access any device anyway), but bad from web developer point of view.

(Btw - here is the public Chrome issue that deals with this - Google's solution is just blacklist the yubikey IDs. This is working to patch the bug, but not fixes the underlying issue, which would be fixable by at least optional descriptors, as I noted there and on the webusb github https://github.com/WICG/webusb/issues/127 )

karelbilek picture karelbilek on 6 Mar 2018

I would personally prefer if the webusb was enabled, but the descriptor rules enforced :) which would fix this, as the yubikey devices definitely don't have the webusb descriptors.

But that would require changes probably beyond the scope of Brave

karelbilek picture karelbilek on 6 Mar 2018

@karel-3d as you can see in https://github.com/brave/browser-laptop/pull/13375 it's going to be disabled for now

diracdeltas picture diracdeltas on 6 Mar 2018
👍1

Hm, this seems that navigator.usb is still defined, but the function returns rejecting promise. This is not ideal :/ as it requires special casing

karelbilek picture karelbilek on 6 Mar 2018

@karel-3d good point. i think i can set them to undefined

diracdeltas picture diracdeltas on 6 Mar 2018
👍1

Thanks, this will help!

When Chrome recently (today) kill-switched webusb remotely, it set navigator.usb to undefined

karelbilek picture karelbilek on 6 Mar 2018

https://github.com/brave/browser-laptop/pull/13375 updated

diracdeltas picture diracdeltas on 7 Mar 2018
👍1

Verified on macOS 10.12.6 x64 using the following build:

Verified on Windows 7 x64

  • 0.22.7 8bb7e77
  • libchromiumcontent: 65.0.3325.181
  • muon: 5.1.1

Verified on Ubuntu 17.10 x64 using the following build:

  • 0.22.8 3ae27f2
  • libchromiumcontent: 65.0.3325.181
  • muon: 5.1.2
LaurenWags picture LaurenWags on 27 Mar 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jonathansampson picture jonathansampson  路  3Comments
jkup picture jkup  路  3Comments
briannyeko picture briannyeko  路  3Comments
antiroyalty picture antiroyalty  路  3Comments
bbondy picture bbondy  路  3Comments