(disclaimer: I’m involved in the W3C group that is developing the vibration API)

Re “Imagine searching through tabs until you found the single advert which was pulsing away trying to get you to buy new insurance.”, the vibration API spec is pretty clear that you should only vibrate from a visible Web page. And I expect that if vibration proves to be used annoyingly, browsers may end up providing easy way to mute “web sites”, or even handle them as they have handled pop ups.

Re unpatched browser flaw destroying the motor, it would also have to be on an OS that doesn’t prevent applications to do so; and if one starts from a flawed browser, then no permission grant in the world would change anything to the problem (because you could then also assume that that permission grant could be buggy).

While vibration may add credibility to your (clever) pseudo-call attack, arguably the audio and visual aspects are sufficient to make it convincing on its own. I think the real attack vector here is that calling an innocuous looking number can cost you money.

I guess the case can be made that users don’t expect Web pages to have certain capabilities, and the surprise this creates can be exploited maliciously; but that’s probably true of any new capability, and unless we want to gate any such new capability behind a browser prompt, this is probably unavoidable.

See also some of my recent research on browser permission management: http://lists.w3.org/Archives/Public/public-web-mobile/2014Jan/0001.html