If your web browser was recording audio and video of you without any indication it was doing so, would you consider that invasion of privacy a security issue? Chrome doesn’t.
After AOL web developer Ran Bar-Zik discovered that a website can record audio and video without the red recording light appearing on the Chrome tab, he reported the bug.
But since users are the crux of the problem, Google doesn’t classify it as a security flaw. That’s because before any audio or video recordings, a user has to give a site permission before it can access a user’s webcam or microphone.
Yet Bar-Zik believes people will not be fully aware of what they are clicking on when granting permissions. The bug could be weaponized and “real attacks will not be very obvious,” he told Bleeping Computer.
To prove his point, Bar-Zik came up with a proof-of-concept demo showing how the attack would work. After clicking to grant permission to access audio/video components, a popup window opens, records 20 seconds of audio and then provides a download link for the recorded file.