Most active commenters
  • tyingq(4)

←back to thread

Apple declined to implement 16 Web APIs in Safari due to privacy concerns

(www.zdnet.com)
428 points coronadisaster | 12 comments | 29 Jun 20 10:16 UTC | HN request time: 0.001s | source | bottom
Show context
jamesgeck0 ◴[29 Jun 20 16:27 UTC] No.23679063[source]
> Web MIDI API - Allows websites to enumerate, manipulate and access MIDI devices.

This API is actually a bit horrifying from a security perspective. In addition to allowing you to use MIDI keyboards as input devices on websites, it also allows websites to send binary firmware updates to MIDI devices. The reason is that it's common to use custom firmware to backup/restore settings and enable neat effects and functionality on MIDI devices.

Mozilla's engineers have reasonably pointed out that an attacker utilizing Web MIDI could use MIDI devices as a stepping stone to launch an attack against the user's PC outside of the web sandbox. One such attack might be by reprogramming the device to appear as a standard USB computer keyboard and "typing" commands to the host.

At least one well known manufacturer has vouched for the technical safety of their musical instruments, noting that they're physically designed in such a way that the MIDI firmware can't alter USB firmware. But there's no way to know that every MIDI device has been similarly well designed.

As neat as Web MIDI is, I think Mozilla and Apple probably made the right security call here.

https://github.com/mozilla/standards-positions/issues/58

replies(11): >>23679155 #>>23679165 #>>23679283 #>>23679303 #>>23679633 #>>23680706 #>>23681158 #>>23681737 #>>23682770 #>>23683437 #>>23683855 #
henriquez ◴[29 Jun 20 17:17 UTC] No.23679633[source]
Fun fact: for quite a long time Chrome skipped over the user permission step in the Web MIDI spec, always allowing access and silently giving ad networks a list of connected USB MIDI devices with no user consent:

https://www.obsessivefacts.com/blog/2018-10-20-chrome-allows...

Here's what appeared on porn site xhamster.com once newer versions of Chromium got around to implementing the permission check (SFW-ish):

https://www.obsessivefacts.com/images/blog/2020-04-04-the-ja...

replies(1): >>23679844 #
tyingq ◴[29 Jun 20 17:29 UTC] No.23679844[source]
Guessing it was for additional browser fingerprinting.
replies(1): >>23680317 #
polycaster ◴[29 Jun 20 18:04 UTC] No.23680317[source]
That seems a bit far fetched.
replies(3): >>23680413 #>>23680427 #>>23680449 #
1. tyingq ◴[29 Jun 20 18:14 UTC] No.23680449[source]
Not sure why that's more odd than other crazy fingerprinting techniques actually in use. Keep in mind no midi devices would need to be present for fingerprinting. Different failure modes, etc.

Especially in the porn industry where the end users are likely using incognito mode or a VPN.

replies(1): >>23681713 #
2. microtherion ◴[29 Jun 20 19:43 UTC] No.23681713[source]
I still don't understand how WebMIDI would be used for fingerprinting of the vast majority of users who don't have any MIDI devices connected to their machine.
replies(5): >>23681848 #>>23681992 #>>23683586 #>>23685364 #>>23690180 #
3. windowsworkstoo ◴[29 Jun 20 19:53 UTC] No.23681848[source]
Because thats what you want when fingerprinting....the few users who have one connected gives you probably quite and accurate fingerprint for those users.
replies(1): >>23684746 #
4. tyingq ◴[29 Jun 20 20:02 UTC] No.23681992[source]
Here's a jsfiddle: https://jsfiddle.net/wj69s4fh/

I get different types of failures and messages from different versions of Chrome, Firefox, and IE. None of which have any midi devices. Those errors, or the structure of the resulting object if it succeeds, are all fingerprint inputs.

replies(1): >>23682156 #
5. amatecha ◴[29 Jun 20 20:13 UTC] No.23682156{3}[source]
Yeah, ran it in Chrome, the browser didn't say a thing whatsoever and I see MIDIAccess object in JS console. Nice to know the browser just allows this entire API by default.
6. Someone ◴[29 Jun 20 21:47 UTC] No.23683586[source]
I would guess quite a few browsers or operating systems would implement at least one virtual MIDI device, so that sites wanting to play MIDI would work. Those virtual devices wouldn’t all be identical.
7. admax88q ◴[29 Jun 20 23:34 UTC] No.23684746{3}[source]
I'm sure there are fingerprint libraries that include every possible API that the browser provides. Does MIDI provide a good fingerprint alone? Probably not, but it can serve as a few more bits of information thrown into the mix when implementing fingerprinting. It's not like it would take many engineer hours to add it to an otherwise already functional fingerprinting system.
replies(1): >>23685348 #
8. scrollaway ◴[30 Jun 20 00:53 UTC] No.23685348{4}[source]
It's far fetched to think that google added web midi in this way just for a couple of bits of entropy which are essentially worthless (no ad network cares about identifying like 0.01% of people, if even that. Yes it's very valuable entropy if you want to identify those people specifically, but who actually wants to do that?)
replies(2): >>23685676 #>>23688453 #
9. gowld ◴[30 Jun 20 00:56 UTC] No.23685364[source]
It takes almost no work to check all available browser context, once you check for some of it.
10. tyingq ◴[30 Jun 20 01:51 UTC] No.23685676{5}[source]
Well, in this case, a porn site wants to tie what it shows you to what you liked last time you visited. They aren't after your identity per se. They are after a conversion. And since you might be using incognito mode (no lingering cookies), they care about fingerprinting for that.

Edit: I see the disconnect now. I'm not saying Google/chrome added the midi API for fingerprinting. I'm saying the screenshot way up this thread is an example of a site using it for that purpose.

11. boomlinde ◴[30 Jun 20 10:01 UTC] No.23688453{5}[source]
The point is not to identify the people using Web MIDI but to identify individual users, regardless of what information exactly identifies them. To that end, every single piece of entropy helps. A good approach to it in general is to opportunistically consume every available API that can possibly divulge identifying information.

A lot of people also do have a virtual MIDI device installed whether they know about it or not. The name of this device differs between different operating systems and operating system revisions.

12. elondaits ◴[30 Jun 20 14:13 UTC] No.23690180[source]
It might be a way to detect bots, even on headless browsers, that pretend to be Chrome but don’t implement the MIDI api. I’m sure crawlers are the bane of the porn industry.