As currently specified, the setParentalControlPin and setParentalControl methods could easily be brute-forced by a web page to change the PIN or clear the isLocked flag, depending on the complexity of the PIN code set. This may be fine in a device-specific implementation context, but less desirable if the API is accessed from arbitrary web pages. How should these APIs be protected from abuse?
As currently specified, the
setParentalControlPin
andsetParentalControl
methods could easily be brute-forced by a web page to change the PIN or clear theisLocked
flag, depending on the complexity of the PIN code set. This may be fine in a device-specific implementation context, but less desirable if the API is accessed from arbitrary web pages. How should these APIs be protected from abuse?