Audio & security from Yoav Weiss on 2013-08-09 (public-webappsec@w3.org from August 2013)

From: Yoav Weiss <yoav@yoav.ws>
Date: Fri, 9 Aug 2013 23:31:00 +0200
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Boris Smus <boris@smus.com>
Message-ID: <CACj=BEjOK-eoqTYiZBjhAaRH3v+f1_U8cfHd_WVAU01eXhG=Mw@mail.gmail.com>

Boris Smus wrote an excellent blog post about the use of WebAudio for short
range data transmission using inaudible audio (
http://smus.com/ultrasonic-networking/).

That got me thinking regarding the security implications of the Web Audio
API & inaudible audio in general.
I'm not really sure if & how this can be exploited. XSS can use it to send
data to the user's proximity, but it can already send it to anywhere in the
world today.
It might more likely be used to detect other users in the vicinity &
communicate with them, which can be a feature but can also be a security
issue if the user is unaware.

Is this use of inaudible audio worth considering in term of its security?
Is it something that we want to require the user's permission for? Maybe a
warning/indicator? Or am I just being paranoid?

Yoav

Received on Friday, 9 August 2013 21:31:28 UTC