[taviso]

I think I need to see some data to back up your claim that Web USB makes socially engineering "catastrophically worse". Web USB is deployed today for a billion users, and yet attackers still seem to prefer malware or walking victims through installing TeamViewer, correct?

We're not talking about any vulnerability here, this is social engineering. There is no amount of confirmation that can be required or warnings added that a confidence trickster cannot walk you through dismissing. The only solution is to limit what you're allowed to do with your own computer.

That's a really high price to pay.

[ocdtrekkie]

Ah, but before they got tricked into TeamViewer, they were likely compromised once or twice over by Google: It's likely the link to the scammer's screen came from a Google ad that directed a user to a browser hijacking web extension, all of which has roughly the same level of difficulty as WebUSB. Then after that, a scammer may talk them through the process of downloading a RAT. (Though TeamViewer has not been popular for this in a while because they are responsive to security reports. There are some overseas-based tools which have taken over exclusively in the last few years because the developer doesn't answer their email.)

WebUSB is new, non-standard, of course, and last time I tried it required feature flagging (it's saving grace... at the time). Compromises through extensions are probably more likely for a while, but WebUSB will probably be more exciting for persistence, considering you could flash an entire hardware device with malicious code, that the user has already demonstrated comfort connecting back to their PC.

[taviso]

Do you think you might have argued against the internet when it was being deployed?

It sure opened the door to a lot of scams, and was far from a perfect solution. Yet it does seem to have had a net positive effect. Maybe that can be true of other technologies sometimes :)

Let's leave it there, I don't think there's anything else to add.