Chrome Flaw Allows Sites to Secretly Record Audio/Video Without Indication

Hammerhead_Corvette · June 5, 2017, 5:07am

A UX design flaw in the Google's Chrome browser could allow malicious websites to record audio or video without alerting the user or giving any visual indication that the user is being spied on.

AOL developer Ran Bar-Zik reported the vulnerability to Google on April 10, 2017, but the tech giant declined to consider this vulnerability a valid security issue, which means that there is no official patch on the way.

Before jumping onto vulnerability details, you first need to know that web browser based audio-video communication relies on WebRTC (Web Real-Time Communications) protocol – a collection of communications protocols that is being supported by most modern web browsers to enable real-time communication over peer-to-peer connections without the use of plugins.

However, to protect unauthorised streaming of audio and video without user's permission, the web browser first request users to explicitly allow websites to use WebRTC and access device camera/microphone.

Once granted, the website will have access to your camera and microphone forever until you manually revoke WebRTC permissions.

In order to prevent 'authorised' websites from secretly recording your audio or video stream, web browsers indicate their users when any audio or video is being recorded.

mihawk90 · June 5, 2017, 10:57am

totally not click-bait title

Well... if you read the article (the quoted text doesn't really say anything) it clearly states that the user - even for this "exploit"/"spying" - needs to authorise the website to use the microphone and/or camera.

So the first thing is that the user has to trust the website and allow the Mic/Cam being used, if one wouldn't trust the website, don't enable it.

Secondly if you don't trust the website, but still need to use the Mic/Cam once for whatever reason, you can set a one-time allow on the permission. After first use and closing the website, it will ask again on the next visit, rendering the "exploit" useless.

The third thing, if you try this code without the user first allowing Mic/Cam it won't do anything.

That being said, of course it would be theoretically possible to record while a one-time allow is active, and it would be nice if it were shown more clearly. But it's not a huge thing. If you don't trust a site, don't allow it.

/edit

Edward Snowden leaks also revealed Optic Nerve – the NSA's project to capture webcam images every 5 minutes from random Yahoo users. In just six months, 1.8 Million users' images were captured and stored on the government servers in 2008.

And WTF has this to do with this topic?