If your web browser was recording audio and video of you without any indication it was doing so, would you consider that invasion of privacy a security issue? Chrome doesn’t.chromelogo

After AOL web developer Ran Bar-Zik discovered that a website can record audio and video without the red recording light appearing on the Chrome tab, he reported the bug.

But since users are the crux of the problem, Google doesn’t classify it as a security flaw. That’s because before any audio or video recordings, a user has to give a site permission before it can access a user’s webcam or microphone.

Yet Bar-Zik believes people will not be fully aware of what they are clicking on when granting permissions. The bug could be weaponized and “real attacks will not be very obvious,” he told Bleeping Computer.

Bar-Zik discovered the Chrome bug when he was on a site that ran WebRTC code. WebRTC (Web Real-Time Communication) allows real-time communications. In a browser, a site will ask the user to grant permissions to access a microphone or webcam. If the user gives permission for a site to stream audio and video, it can run JavaScript code to record the content before sending it to on to the WebRTC stream.

Bar-Zik’s bug report, however, states that the JavaScript can record without showing the red recording dot indicator on the Chrome tab. He explained, “After the permission is given, the site can listen to the user whenever” a hacker behind the site wants to.

To prove his point, Bar-Zik came up with a proof-of-concept demo showing how the attack would work. After clicking to grant permission to access audio/video components, a popup window opens, records 20 seconds of audio and then provides a download link for the recorded file.

About the author

Related Post

Leave a comment

Your email address will not be published. Required fields are marked *