38

While surfing a news website on my mobile, I receive a virus infection alert warning that triggers my phone to vibrate incessantly. The alert looks like the following:

scareware

I didn't expect my phone to vibrate and the alert is able to tell me the model of my phone (first panel) and the OS system (second panel). Clicking the back button causes another warning to pop-up (third panel).

I almost wanted to follow the instructions on the second panel to install what looks like an anti-virus. But luckily, I was able to calm my nerves sufficiently to realize that this is a scare-ware served through an ad-server and that the anti-virus could be the actual virus.

Given that the HTML5 vibrate function is a new feature that people hardly encounter on websites. It would not be a surprise that there are people falling prey to this tactic.

Is HTML5 vibration feature a security vulnerability? Should mobile browsers enable such a feature on websites by default?

Question Overflow
  • 5,220
  • 6
  • 27
  • 48
  • 9
    There are loads of javascript features which can be abused and should never have been enabled by default in the first place. But too often browser vendors worry more about breaking some legitimate usage than about features being abused. – kasperd Aug 02 '15 at 16:55
  • 1
    At least now you know what browser to stop using. That this is even possible is ridiculous. Not that the status of actual security on anything mobile (or even the web in general) isn't hopeless and laughable, but this is big, hearty, roaring belly-laughable. – zxq9 Aug 02 '15 at 21:28
  • 10
    "This page at andro-apps.com says:" should be a dead giveaway. – user253751 Aug 02 '15 at 22:03
  • 13
    By the way, not directly an answer, but you should *always read the message* on the screen. Would an American say "You are badly infected with (4) Virus"? No. They wouldn't. Read the message aloud. If it *sounds* like bad English, it's because it's a scammer from another country. Also, "your phone is exposed to HIGH RISK and UNSECURED" is grammatically uncomfortable, as opposed to "your phone is unsecured, and potentially vulnerable." Learning how to recognize a scam should be your top priority, not asking about vibration. – phyrfox Aug 03 '15 at 01:50
  • 2
    @phyrfox: good grammars doesn't necessarily mean it's a legitimate warning. While bad grammar is an immediate give away that the warning is likely illegitimate, there see other things you need to pay attention to; for example, the "The page at ... says" is a dead give away that the dialog box is from the page in the browser, not the system. – Lie Ryan Aug 03 '15 at 11:15
  • Bad grammer need not be a giveaway for illegitimatecontent. For example, the mostly harmless MicroSoft support website offers German information that is produced by an awfully bad machine translation (so bad that I as a native speaker of German often fail to understand anything of the text). – Hagen von Eitzen Aug 03 '15 at 14:02
  • Re: Grammar. It's not a direct correlation (i.e. "good grammar is legitimate" and "bad grammar is a scammer"), it's simply an indicator ("this content has bad grammar and so is *probably* a scam" versus "this content has good grammar, so I need to investigate more"). I also primarily speak for English, and more particularly American English, where I live. We see this sort of message all the time on anything remotely dodgy, especially on adult-oriented sites with banner ads targeting Americans (by IP). – phyrfox Aug 03 '15 at 14:14
  • There *are* other indicators, such as visiting a well-known site (e.g. www.microsoft.com) versus an address bar that shows something like "advancedmicrosofttechnicalsupport.com.ru" with no SSL certificate or an invalid certificate, etc. In other words, one really does need to learn to identify content by grammar, presentation, SSL security, and, my favorite, common sense. A browser is "sandboxed" from the system, so if you see "the page says", you're in a browser, and browsers *cannot* scan your system for viruses. – phyrfox Aug 03 '15 at 14:18
  • The alert showing your phone and OS version is easily explained: Web browsers submit this information with every page request. One thing you can probably do is install a profile spoofing plugin; I am using such a plugin on my desktop Firefox, and it's likely also available for mobile. So sometimes Web sites think that I'm using Chrome on MacOS, sometimes that I'm using Opera on Windows 7, etc. – Kevin Keane Nov 30 '15 at 01:05
  • @Kevin Keane: the keyword is User-Agent spoofing, which is the HTTP header where the browser embeds these info on every HTTP requests. – Lie Ryan Nov 30 '15 at 15:39
  • 2
    @immibis et al: While these scams may be 'obvious' or 'a give-away' for you and me, this is not true for less web-savvy people—arguably most users. I wouldn't be remotely shocked if my non-technical workmates and family members have computers and phones riddled with malware and spam apps, especially Windows machines. Have you ever had a family member ask you how to get out of part of a program, when the computer is telling them exactly what to do? They're not necessarily dumb; they just haven't been using technology as competently as us, and they won't notice these 'obvious give-aways'. – Michael Scheper Feb 28 '16 at 17:54

5 Answers5

29

A popup was used to show the alert. Does this mean that the popup feature introduces vulnerabilities? Then by that line of reasoning JavaScript is the source of all problems. There are people who actually think that JS is an important vector for attacks and block it on untrusted websites with extensions like NoScript.

Many features can be misused, and is up to people creating the standards, browsers and even websites to judge what is bad and to change the standards or implement mitigations. Of course those people can be wrong and some feature can be unexpectedly used to attack users.

A nice example is the browser's console which is very often used to trick users into pasting JS code that attacks the user. This helped Facebook worms to propagate with great success. Facebook noticed this and introduced this message in the console: enter image description here

This vibrate function might trick some users into thinking that it is actually the OS showing the alert, but I think the latest mobile browsers do a good job of showing the user that he is still inside the browser. In this case, the message from the browser is clear enough "The page at andro-apps.com says:"

If this becomes an important vector for attack, I'm sure the browser manufacturers will notice that and will make changes to reduce the impact.

Cristian Dobre
  • 9,797
  • 1
  • 30
  • 50
  • 1
    In which cases is that facebook warning shown? I wasn't able to reproduce it, and I have no idea how a site could possibly produce such a warning in the first place. – kasperd Aug 02 '15 at 16:53
  • 4
    In all cases. Go to Facebook.com and open the console in your browser. – Cristian Dobre Aug 02 '15 at 16:57
  • 3
    That I tried already. It did not produce any warning. – kasperd Aug 02 '15 at 16:58
  • 1
    It's showing in all my browsers whether I'm logged in or not. – Cristian Dobre Aug 02 '15 at 17:05
  • Newest version of Chromium on Ubuntu 14.04 is not showing the warning. – kasperd Aug 02 '15 at 17:16
  • The warning looks different on my Firefox, Chrome and Safari so maybe it is browser specific and not implemented for less common browsers. – Cristian Dobre Aug 02 '15 at 17:19
  • 1
    I can see it! What I want to know is how did they do that? – Ohnana Aug 02 '15 at 19:58
  • JS can write to console using console.log('message') – Cristian Dobre Aug 02 '15 at 20:05
  • 8
    In Chrome's console it's possible to do some limited CSS. In other browsers, Facebook does some ASCII art instead, which is less-than-perfect. Hard to read if the console isn't wide enough, and putting the `.` immediately after the `https://www.facebook.com/selfxss` results in a broken link in Firefox anyway. – Alexander O'Mara Aug 02 '15 at 20:40
  • 8
    `Then by that line of reasoning JavaScript is the source of all problems.` ...are you meaning to imply that it's not?!? – Mason Wheeler Aug 03 '15 at 02:26
  • 2
    A little bit of background on the Facebook "self XSS" prevention from the developer who implemented it originally: http://stackoverflow.com/a/21693931/74619 – Jan Fabry Aug 03 '15 at 07:43
  • 5
    @MasonWheeler, I know JS plays an important part in most web security issues, but blaming it is like blaming the browsers or operating systems or even electricity itself. Like it or not, JS is part of the modern web. – Cristian Dobre Aug 03 '15 at 11:08
  • Yup, I didn't notice that message is generated by the website initially because the incessant vibration distracted me. – Question Overflow Aug 04 '15 at 14:23
  • Are you saying that it was constantly vibrating? – Cristian Dobre Aug 04 '15 at 15:34
  • 1
    I have seen this in the wild too. I clicked on a "more info" button on a semi-shady app, thinking it would take me to a page with user comments. Instead, it lead out of the site through an ad barrier. The ad was a fake "your os needs to be updated" banner prompting a download. The vibration only confirmed how shady it was. That the ad provider broke the back button and didn't provide an obvious way to skip the ad didn't help either. – John Dvorak Sep 12 '15 at 10:47
  • As a side note, is there any way to provide a rating to a play store app without installing it? – John Dvorak Sep 12 '15 at 10:51
  • [I doubt that NoScript is 100% clean itself](https://security.stackexchange.com/questions/123505/is-noscript-bad#comment287076_123505). I think [UBlock Origin](https://addons.mozilla.org/en-us/firefox/addon/ublock-origin) is more likely to be clean. – user21820 Apr 12 '18 at 08:18
6

Suppose a malicious web page pops up a fake system notification and vibrates at the same time. How confident would you be of telling the difference between a legitimate pop-up and a .png on the web page you're viewing.

(Source)

Personally I have not heard of any exploit related to HTML5 Vibrate API, but it could be used for evil goals as shown on the link above. But more serious is what the quoted text above mentions: you can not distinguish between a legitimate pop-up and something else. This something else could be a pop-up used to trigger a drive-by download attack leading to malware (usually spyware or adware) installation on your system by exploiting the vulnerabilities of the browser you use (or those of its plugins).

But luckily, I was able to calm my nerves sufficiently to realize that this is a scare-ware served through an ad-server and that the anti-virus could be the actual virus.

You have rather been wise in your decision because it could be a drive-by download attack. Try to use free (but powerful) services such as Stop Badware on your laptop to see if the website you surfed is blacklisted (notification may be negative in case the website is compromised too recently and no one reported it).

  • I would be happy to know what's wrong with my answer so that someone downvoted me ? –  Aug 02 '15 at 15:52
  • 1
    Upvoted to make up for downvote, I don't see anything terrible about this answer. – Mark K Cowan Aug 02 '15 at 16:24
  • It would be helpful if you copy-pasted relevant bits from your links. That way if the links break the useful information is preserved. – Ohnana Aug 02 '15 at 20:00
  • @Ohnana You are right but the first thing I did was to quote what I judge useful :) –  Aug 03 '15 at 03:12
  • D'oh. I thought you were quoting the OP... carry on :P – Ohnana Aug 03 '15 at 03:13
  • @Ohnana no worry, you are welcome –  Aug 03 '15 at 03:15
  • 1
    @MarkKCowan: I don't either, but users are free to vote in whatever direction they want. They need not state a reason and their votes are never incorrect. Reputation-wise, the upvote actually overcompensates by a factor five. Moreover, how can you tell someone else hasn't used this argument and made up for the downvote already? You too of course can use any motive you like to cast your vote, but I don't think the current score should weigh in all that much. – Marcks Thomas Aug 03 '15 at 10:38
  • 2
    Downvote without comment provides nothing unless the answer is obviously terrible or other comments justify the downvote. I can also vote in which ever direction I want, so I voted against the totally useless downvote. – Mark K Cowan Aug 03 '15 at 11:07
4

Honestly, the core question is whether vibration of the phone will give an application/website significantly more authority than without the vibration. Now, obviously I lack any research into this specific issue, but we can note that applications do not use vibrations as a way to convene authority. If anything it would feel wrong for an application to vibrate whilst turned on and be an extra indicator that something is odd about the situation, as vibration tends to only be triggered when the screen is off.

Might vibration create a feeling of urgency for some people? Definitely, and thus it might marginally improve the efficiency of scareware, but even if that would be the case it would still not be a security vulnerability as the vibration API would not allow one to do anything that one isn't allowed to do which is a necessary trait of a security vulnerability. So in conclusion it's definitely not a security vulnerability and it would make little sense to lock it away behind a permission dialog.

David Mulder
  • 1,349
  • 1
  • 8
  • 16
3

It's not a vulnerability in and of itself as it cannot be used to directly exploit the device, but it certainly can be and (as your question indicates) has been used for social engineering attacks.

In the case you mentioned, it is being used to create a sense of urgency and trick the user into installing unwanted software. It can also be used in combination with prompts that simulate dialogs generated by the OS or other apps on the phone to trick the user into loading malicious content.

Firefox for Android now has a permission prompt for vibration as of version 49 (page source; relevant bug report):

Vibration permission prompt on Firefox for Android

bwDraco
  • 473
  • 2
  • 10
2

Is HTML5 vibration feature a security vulnerability? Should mobile browsers enable such a feature on websites by default?

At least in the scenario you describe, no. The vibration feature here facilitates a social engineering attack, but is used as intended and designed.

In a more general sense, there may well be other security vulnerabilities related to the vibrate API (or, for that matter, to any other HTML feature)

Kevin Keane
  • 1,009
  • 7
  • 8
  • 4
    Personally, the *only* time websites have vibrated my phone has been a function of spam and malware. I suspect this feature will eventually go the way of the HTML `` tag, and turned off by default, or just not supported. – Michael Scheper Feb 28 '16 at 18:00