Malicious Use of the HTML5 Vibrate API
By @edent
· android api chrome firefox HTML5 opera scam vibrate · 43 comments · 650 words · read ~103,691 times.
There is a new API in town! HTML5 will (soon) let you make the user's device vibrate. What fun! Obviously, it's useful for triggering alerts, improved immersivness during gameplay, and all sorts of other fun things like sending Morse Code messages via vibration.
At the moment, Chrome (and other Android browsers) ask for permission before accessing features such as geo-location, camera, address book etc. This is a security measure to prevent your private information leaving your hands without your knowledge.
At the moment, accessing the HTML5 Vibrate API doesn't trigger an on-screen warning. Its use is seen as pretty innocuous. Because, realistically, the worst it can do is prematurely drain your battery. Right?
I'm not so sure.
Evil Thoughts
We've all seen those scummy adverts designed to look like Windows pop-ups. They usually pose as a legitimate system request - "Update Java" or similar.
Suppose a malicious web page pops up a fake system notification and vibrates at the same time. How confident would you be of telling the difference between a legitimate pop-up and a .png on the web page you're viewing. After all, the phone buzzed - so it must be genuine.
Are you really receiving an "AirDrop" - or is this page trying to trick you?
Autoplaying sound on adverts in annoying - auto-vibration could be just as irritating. Imagine searching through tabs until you found the single advert which was pulsing away trying to get you to buy new insurance.
For now, the intensity of the vibration cannot be controlled - only the duration. It is not impossible to conceive of malicious code being able to exploit an unpatched browser flaw and overdrive the motor to destruction.
Faking Telephone Calls
When combined with HTML5 Audio, it would be possible to create a fairly realistic "Incoming Call" screen which vibrated and played a ringtone. Once "answered", the page could play some audio which says "Hi, can you call me back urgently - my number is [premium rate line]" and then, perhaps, automatically open up the dialer using the tel: URI.
Could you tell if the above was a real phone call? If you looked closely, probably, but when the browser is playing your phone's default ringtone and the handset is vibrating, it would be pretty easy to be confused. Combine it with a WebRTC call and you're looking at a very convincing scam.
Video Demo
Source Code
Here's a basic example which you can try on your own phone - demo site.
<body>
<script type="text/javascript">
navigator.vibrate = navigator.vibrate || navigator.webkitVibrate || navigator.mozVibrate || navigator.msVibrate;
navigator.vibrate([1000, 500, 1000, 500, 1000, 500, 1000, 500, 1000, 500, 1000, 500, 1000, 500]);
</script>
<img width="100%" src="phone.png" onclick="window.location.href='tel:09098790815';" />
<audio autoplay="autoplay">
<source src="ring.mp3" />
</audio>
</body>
At the moment, the auto-vibrate and auto-ring only work on Firefox for Android. But no doubt other browsers will follow suite soon.
Warnings
Firefox was the only browser I found which supported Vibrate - on Android, neither Samsung's browser, Chrome, or Opera did - iPhone also doesn't yet support it. No one cares about Windows Phone or BlackBerry - so I didn't test them*.
Firefox doesn't currently ask for permission when a page requests access to vibrate.
Do you think browsers should warn before a page vibrates - or is the risk too low? I guess we'll have to see if the scammers take advantage of it - and whether there is a user backlash.
*Update: thanks to the comments on Reddit and on HackerNews it would appear that BB10 does support the vibrate API, Windows Phone doesn't.
Mastodon
Twitter
Facebook
LinkedIn
Reddit
HackerNews
Lobsters
Pocket
WhatsApp
Telegram
(disclaimer: I'm involved in the W3C group that is developing the vibration API)
Re "Imagine searching through tabs until you found the single advert which was pulsing away trying to get you to buy new insurance.", the vibration API spec is pretty clear that you should only vibrate from a visible Web page. And I expect that if vibration proves to be used annoyingly, browsers may end up providing easy way to mute "web sites", or even handle them as they have handled pop ups.
Re unpatched browser flaw destroying the motor, it would also have to be on an OS that doesn't prevent applications to do so; and if one starts from a flawed browser, then no permission grant in the world would change anything to the problem (because you could then also assume that that permission grant could be buggy).
While vibration may add credibility to your (clever) pseudo-call attack, arguably the audio and visual aspects are sufficient to make it convincing on its own. I think the real attack vector here is that calling an innocuous looking number can cost you money.
I guess the case can be made that users don't expect Web pages to have certain capabilities, and the surprise this creates can be exploited maliciously; but that's probably true of any new capability, and unless we want to gate any such new capability behind a browser prompt, this is probably unavoidable.
See also some of my recent research on browser permission management: http://lists.w3.org/Archives/Public/public-web-mobile/2014Jan/0001.html
Hey Dom,
Thanks for your comment. I agree that some scenarios are unlikely. Its real danger, as you've identified, is that unexpected behaviour can lend credence to an otherwise obvious attack. For example, if you take a look at this fake "Android virus alert" - how much more convincing would it be if the phone vibrated with its "alert"?
It will be interesting to see how this develops - and I look forward to reading more about the permissions model.
T
"Thank you for helping us trick your parents and grandparents!" - every phishing scam creator on the planet. REQUIRE USER APPROVAL FOR THIS API, NOW. Either think about USERS FIRST or stay away from web standards.
What kind of legitimate use case did you image for this feature? Because I am REALLY sick and tired of all the fake malware, "Your system is infected", insane vibrations and redirects to the Google Play store. I have to say that you come off looking pretty ignorant here. How could you possibly not foresee this? What did you do? Sit with your friends on the W3C group and say, "We don't feel that pop-ups are abusive enough these days, since many users have learned to block them. We must give malware authors another usable attack vector." You, and anyone else on that group that did not immediately see this as the WORST IDEA EVER should leave the committee, and the internet, forever.
Actually Chrome Beta on Android supports also the vibrating API
Interesting - I'll have to check it out. Wonder how long before it's in the production version.
Vibrate API should ship to the Chrome on Android stable channel next week or so.
Great to hear it. Do you know if users will be able to disable it if needed?
I worked on this feature for Chrome on Android, and this is our current approach. Vibration will stop when the user:
* Navigates away
* Reloads the page
* Switches to a different tab
* Closes the tab
* Sends the browser to background
* Turns the screen off
It should also not start at all if vibration is turned off for the phone as a whole i.e. it's on silent.
There are also limits to how long the device will vibrate.
Try it out here: http://jsbin.com/UKamoNID/1
Also, if the user doesn't like the page, he can close it and not go there again. It is the most basic way of user control in a browser, and proven to be quite effective. If it turns out that this feature really does get abused a lot, like browser popups did, then we'll have more data. This would give better insight into how to counter the abuse without degrading the user experience for valid usage.
Congratulations. Almost two years later and we have fullscreen scareware 'your device is infected' ads popping up and vibrating the device full tilt. It isn't dodgy sites either, I got one on washington post's mobile site. And there's no way to disable this 'feature'. Idiots blindly following the spec like you are so eager to put in 'new and cool' features that you don't stop to question whether you should.
While I wouldn't call them idiots, I think the idea of just navigating away from a page to be foolish. I just had an ad on a normal site redirect me to a page I couldn't leave without killing the browser and then leaving the page before it loaded. Trying to go back just redirected back to the same page. It was vibrating the entire time which made the experience even more frustrating. I really don't want my browser to be able to vibrate. If a site wants my attention, it already has enough means.
Of course, redirecting ads are a big problem with mobile anyway. I hate when I'm on a site and suddenly Google play pops up because some ad redirected me. One of these ads could easily tell me I need to download something to improve my phone. That app could install apps itself if it had the right permissions.
I disagree with just navigating away as sometimes its impossible. I landed on this page while searching for a way to disable it completely because I just got hit with an that vibrates my phone nonstop and shows a dialog that I must click which in turn opens another dialog and of course the history is destroyed so you can no longer go back to the page you wanted. So basically you have to exit the browser or watch your vibrator die?
And... it's awful. The user doesn't need to approve domains for vibration, so I've already seen this API used in multiple cases... all PHISHING SCAMS, using Google imagery, vibrating, and telling the user to click a button to fix it... at which point it probably downloads a virus or asks for your password. Either the spec or the browser implementation didn't put users first. FAIL.
Personally I think browsers should have a way to disable this.
I'm fine with the API, it's up to the browsers to provide a mechanism to turn it off.
Well, all it proves that you can fake an interface. The call still has to be initiated by you. Makes it look scary but also is not the normal way you would have an incoming call act on the OS. It is Phishing, plain and simple. Also, you need to match my dialtone that I set, and as you can not read that one it'll be weird to hear another one.
True - but I wonder how many people change their default ringtone. Whenever I hear an iPhone ring, I see several people reaching for their pockets!
You're right that the call has to be initiated - but it could just as easily be a premium rate SMS, or a prompt to install some malware, etc.
All of which have the same issue. A sms:// domain still needs the user to install it. A prompt to install software will very much tell you what that software wants to access and to do and apps that reach data or functionality of your phone that is sensitive (at least in FxOS) need to be hosted on the marketplace and get a security review. Normal web sites are not allowed to access everything https://hacks.mozilla.org/2013/11/firefox-os-security-part-1-the-web-security-model/ .
I very much agree that vibration allows you to get the user's attention much better than without it, but I am not sure about the credibility aspect of it. In essence this is like a fake browser toolbar and a ping sound - or a desktop notification like Chrome has with a ping sound.
My fave fake interface lately was this: https://www.youtube.com/watch?v=3SKDbmQosfg
Again, I don't disagree with you. This is purely about about shortcutting the user's expectations. It still requires interaction. Those fake toolbars, I'm sure, get more clicks when they play "Windows Error.wav" than when they don't.
Also: why the onclick handler to initiate the tel:// pseudo? Just wrap the image in a link pointing to it - then you won't have the tap delay 🙂
Ah, that's a hangover from when I was trying to get a different piece of audio to play when you "answered" the phone. Something like "Call me back urgently - I'm sending my number to your phone."
That's what event handlers are for - also, the link would give you a selected state, so you could animate the fake interface.
You are way more eviler than me!
Yes, permission should be required for both vibrate and simple sound. The fact that we haven't had this has led to auto-playing videos disrupting the user unnecessarily. There is no question that both should be controlled by the user.
Combined this with WebRTC and the whole world of e-Dildonics is opened wide for you to exploit for fun or profit or both.
Why not enabling the use of the vibration API only after a user generated event, like it's currently being done for playing audio in iOS ?
That doesn't stop a malicious actor binding the event to an innocuous touch action. For example, add it to a scroll down event, add a 10 second delay before vibrating / playing. How would you know what caused it?
Of course, it doesn't stop a malicious someone from doing evil things, it just makes his work more complicated (find a way to induce the user to touch the interface first and not just binding to the onload event). And that's why, in my opinion, it would still prevent most users from these unsolicited spams behaviours.
After all, can you really stop someone malicious from doing malicious things ? I don't think the "ask for permission popup" model would offer us a better guaranty...
The websites don't vibrate the phone but its the ads that are vibrating my phone continuously. A small number of irritating ads that can appear in a great many of websites, so I should just block all the websites due to this stupid API that was exploited by ad companies ? f**** browsers and html5
As a simple and consumer, this vibrating ads is way TOO MUCH and ANNOYING.
The ads just hijack the hyperlink and until a state that I want to throw the phone out of the window or smash it with a hammer....
"It is not impossible to conceive of malicious code being able to exploit an unpatched browser flaw and overdrive the motor to destruction."
Although 'not impossible'- pretty close. Lots of good stuff in this post and the comments, but when you get a bit preachy and come up with something like the line above, it detracts from the more reality-based parts of the post.
https://en.wikipedia.org/wiki/Stuxnet
http://www.androidcentral.com/stagefright
hey ..it will be very helpful if u reply to this msg ...
SItes as they make the phone vibrate continuously.. . .i surely not a normal thing to experience. SO yes its a site we should be far away from.. .but take it as we entered a site i mean just selected it on android and suddenly phone vibrated.. .now we closed the page then the app and not pressing any popups. . .by this way is our phone safe..!!
i have faced this year bck and now just 5 min bck.. . .nd i did that what i said above so.. .m i good now..!Other !!
Other question is ...will it harm my device or corrupt some files..or a virus to enter ????
Your phone will be fine. Don't visit that website again. If you are concerned, you can always factory reset your phone to completely wipe it clean.
Thank you..,..!!
I just wanted to say it was good to see the you use the little known drama phone number in your example. The UK version of 555.
Another reason to support extensions in mobile like Firefox.
The computer must never be master over its human. The human must always be able to control the behaviors of the machine. Any feature like this, with proven (and clearly anticipated) capability for promulgating fraud and nuisance must be proactively controllable by the user prior to being introduced to the device.
Unfortunately, Apple, Google, Microsoft and now, W3C, believe that we humans are too stupid to participate in the management of the devices and services that we purchase from them. Well, as evidenced by the hundreds of thousands of complaints made by tens of thousands of users who are disenfranchised by these ignorant, harmful design decisions, the system is not working.
F**K Vibrate API
F**K HTML5
year after a year, this SHIT is STILL happenning
Opera on Android allows vibrate... Otherwise excellent browser but this sucks 🙁