Google Chrome bug allows sites to spy on you by secretly recording audio and video
A new Google Chrome bug has been uncovered, which reportedly allows websites to record audio and video, without alerting the user or providing any visual indicators. Although the bug requires users to grant it permission to access audio and video features.
According to the security researcher who discovered the flaw, it could potentially be weaponized and used for spying on targets.
Ran Bar-Zik, a web developer at AOL, has discovered and reported a bug in Google Chrome that allows websites to record audio and video without showing a visual indicator.
The bug is not as bad as it sounds, as the malicious website still needs to get the user's permission to access audio and video components, but there are various ways in which this issue could be weaponized to record audio or video without the user's knowledge.
The bug's central element is a "red circle and dot" icon that Chrome usually shows when recording audio or video streams.
In a private conversation, Bar-Zik told Bleeping Computer he discovered the bug at work while dealing with a website that ran WebRTC code.
WebRTC is a protocol for streaming audio and video content over the Internet in real time. In order to stream audio or video content, a user must first grant a website permission to access his audio and video components.
When a website receives this permission, it can run JavaScript code that records audio or video content, before sending it over the Internet to the other participants of an WebRTC stream. This recording process is done via the JavaScript-based Media Recorder API.
Ran Bar-Zik, a web developer at AOL, has discovered and reported a bug in Google Chrome that allows websites to record audio and video without showing a visual indicator.
The bug is not as bad as it sounds, as the malicious website still needs to get the user's permission to access audio and video components, but there are various ways in which this issue could be weaponized to record audio or video without the user's knowledge.
The bug's central element is a "red circle and dot" icon that Chrome usually shows when recording audio or video streams.
In a private conversation, Bar-Zik told Bleeping Computer he discovered the bug at work while dealing with a website that ran WebRTC code.
WebRTC is a protocol for streaming audio and video content over the Internet in real time. In order to stream audio or video content, a user must first grant a website permission to access his audio and video components.
When a website receives this permission, it can run JavaScript code that records audio or video content, before sending it over the Internet to the other participants of an WebRTC stream. This recording process is done via the JavaScript-based Media Recorder API.
Attack Code is Launched via a Chrome Popup.
Bar-Zik discovered that the code that does the recording doesn't
necessarily have to run on the original tab where the permission was
granted.
Because the permission to access audio and video data was granted for an entire domain, the Israeli developer realized he could start a headless Chrome window (popup) where he could run the code to record audio and video.
Because Chrome shows the red circle and dot icon in a window's tab, the icon doesn't appear for the popup because this headless window doesn't have a tab bar.
The bug report is available here. The report also includes a benign demo that asks the user for permission, launches a popup when a user clicks o button, records 20 seconds of audio, and provides a download link for the recorded file. The proof-of-concept code is also available for download from here.
Because the permission to access audio and video data was granted for an entire domain, the Israeli developer realized he could start a headless Chrome window (popup) where he could run the code to record audio and video.
Because Chrome shows the red circle and dot icon in a window's tab, the icon doesn't appear for the popup because this headless window doesn't have a tab bar.
Researcher Reported Issue to Google but no Urgent Fix is Coming.
Bar-Zik told Bleeping Computer that after he had verified this issue with family members and other peers, he submitted a bug report to Google.The bug report is available here. The report also includes a benign demo that asks the user for permission, launches a popup when a user clicks o button, records 20 seconds of audio, and provides a download link for the recorded file. The proof-of-concept code is also available for download from here.
In a response Bar-Zik received on the same day, Google declined to consider this bug a security issue.
Nonetheless, Google is also right in its decision to not consider this a security issue, as the red circle and dot icon is not present in all Chrome versions, and the real defense against this type of attack is the permissions popup.
Users that want to stay safe against these types of attacks should pay close attention to the permissions they grant websites.
So, What you guys think about this. Please let us know in the comment box below.
This isn't really a security vulnerability - for example, WebRTC on a mobile device shows no indicator at all in the browser. The dot is a best-first effort that only works on desktop when we have chrome UI space available. That being said, we are looking at ways to improve this situation.
Google isn't Wrong in its assessment.
Since this Google didn't label this as a security issue, Chrome will not receive an urgent fix.Nonetheless, Google is also right in its decision to not consider this a security issue, as the red circle and dot icon is not present in all Chrome versions, and the real defense against this type of attack is the permissions popup.
Users that want to stay safe against these types of attacks should pay close attention to the permissions they grant websites.
So, What you guys think about this. Please let us know in the comment box below.
No comments: