Disable WebUSB and WebBluetooth in Google Chrome

[harlan4096]

Web browsers support an increasing number of APIs and features, and there does not seem to be an end in sight to that.

Recent additions to Google Chrome, the WebUSB and WebBluetooth APIs, allow sites to interact with devices connected to the device the browser is run on.

While there are certainly cases where this may be useful, it is sometimes the case that the introduction of new features has unforeseen consequences.

In the case of WebUSB and WebBluetooth, it is opening the doors for sophisticated phishing attacks that could bypass hardware-based two-factor authentication devices such as some Yubikey devices.

Security researchers demonstrated recently that the WebUSB functionality of the Google Chrome web browser can be used to interact with two-factor authentication devices directly and not Google Chrome's API (U2F) designed for that purpose.

The attack bypasses any protection that two-factor authentication devices offer that are susceptible.  Devices need to support protocols for connecting to a browser other than through U2F for the attack to work and users need to interact with the phishing site for the attack to be carried out successfully.

Full reading: https://www.ghacks.net/2019/01/25/disabl...le-chrome/