security considerations regarding use of platform accessibility apis for accessing user data

[npdoty]

There have been threats of malware using accessibility interfaces to get access to screen contents or to automate malicious operations. Are there any specific considerations for Core-AAM for threats of malware which has received platform accessibility access to scrape user's data from their online browsing, or to automate malicious actions on their behalf?

Would there be any possibility or reason for site authors to indicate sensitive data that should only be accessed with special user permission? (We've occasionally heard of this threat/potential mitigation when it comes to attacks on banking sites, etc.)

There may not be any specific mitigations to describe here, but it seems like a relevant security topic to consider for our a11y specs that interact with platform a11y tools.

[npdoty]

Thanks to @sseng123 for identifying this class of threat and raising it during our privacy review of this specification. I've tried to include the basic concern in a shorter format here.

[jnurthen]

@npdoty I'm interested to know more about these threats. Can you please send more specifics. (If not suitable for a public forum please send to me privately.) At the moment this is too abstract to know if any action should or could be taken.

[cookiecrook]

This report is too vague to be actionable. If there are security vulnerability exploits with a specific implementation, those should be reported through the implementation's security issue tracker. ARIA has had security cross-review at various stages, and the Working Group is not aware of specific security concerns in ARIA itself, so I'd recommend closing this issue. As with #155, more discussion is needed in w3ctag/design-principles#293