Tricking Johnny into Granting Web Permissions
This addresses a security vulnerability for web users, exposing risks in current browser designs, but is incremental as it highlights an existing issue rather than proposing a new solution.
The study tackled the lack of protection in web permission API dialogs, finding that users can be tricked into granting webcam permission with high success rates, such as 95% on mobile and 72% on desktop browsers without prevention mechanisms.
We studied the web permission API dialog box in popular mobile and desktop browsers, and found that it typically lacks measures to protect users from unwittingly granting web permission when clicking too fast. We developed a game that exploits this issue, and tricks users into granting webcam permission. We conducted three experiments, each with 40 different participants, on both desktop and mobile browsers. The results indicate that in the absence of a prevention mechanism, we achieve a considerably high success rate in tricking 95% and 72% of participants on mobile and desktop browsers, respectively. Interestingly, we also tricked 47% of participants on a desktop browser where a prevention mechanism exists.