I-cant-believe-its-not-webusb: Hacking around lack of WebUSB support in Firefox

We don't need no stinkin' WebUSB! It turns out that there is a way for a web page to access USB devices without requiring WebUSB and its associated political disagreements! Not only that, a device can intentionally design itself to bypass all of the user consent requirements. Quick demo Load u2f-hax.uf2 onto a Raspberry Pi Pico (RP2040 version), and then load index.html from either localhost or another secure context. The "On!" and "Off!" buttons will toggle the LED, and the state of pin GP22 will be regularly updated on the page (you can conveniently short it to the adjacent GND pad with a piece of wire or metal). The Pico is programmed to emulate a U2F dongle (i.e. a physical two-factor security key). However, instead of performing any security functions, arbitrary data is smuggled in the "key handle" and signature of U2F_AUTHENTICATE messages. As long as the key handle starts with 0xfeedface, the Pico instantly "confirms" user presence and returns data. Why is this possible? ... Read full article.