Skip to main content

Google Downplays Chrome Bug That Allows Websites To Secretly Record Audio & Video


Visual Notification Chrome Bug Main
In Google Chrome, a visual indicator in the form of a red dot appears on the tab when a website records audio and video from the browser.
A Chrome bug was reported to Google by AOL web developer Ran Bar-Zik. He
told Bleeping Computer that he had discovered it while checking a website running WebRTC code. WebRTC allows websites to record streams for live streaming to other devices across the internet.
Due to the bug, websites can record audio and video content without showing the visual indicator. Still, the site requires user’s permission to access the microphone and webcam. So, the situation isn’t that serious. But it doesn’t mean it can’t be exploited.
According to Ran, the access permissions are given for a whole domain, so, it’s possible not to use the same tab to record streams. The attacker can show a pop-up (headless Chrome window) running the code to record audio and video streams. This pop-up won’t carry the red dot. To verify his claims, he created a test popup himself.
Chrome bug webrtc2
Demo pop-up can record audio when permissions are granted. No red dot.
The demo pop-up is included in the bug report Ran submitted to Google. After gaining permission, the pop-up records 20-second audio clips and provides a download link for the same. The code for his proof-of-concept is available as a zip file.
Contrary to what Ran believes, Google doesn’t consider the bug as a threat at all. That’s because the visual indicator isn’t present on all platforms where Chrome is available.
“This isn’t really a security vulnerability – for example, WebRTC on a mobile device shows no indicator at all in the browser. The dot is a best-first effort that only works on desktop when we have chrome UI space available. That being said, we are looking at ways to improve this situation,” Google replied.
Chrome bug webrtc
Demo pop-up can’t record audio when permission not granted.
It might be possible that some people unknowingly grant access permissions and fail to recognize anything fishy due to the inconsistencies in the UI. This can lead to more sophisticated attacks.”Real attacks will not be very obvious,” said Ran when comparing these situations to the demo pop-up.
An evil pop-up might not even ask for a click like Ran’s demo. It can be as simple as an annoying advertisement which most of us don’t even realize is present alongside other browser windows until we close the web browser.
It’s possible for an attacker to time the pop-up according to their needs. It could possibly appear just for a moment to take a picture of the user or maybe even for hours.
Instead of setting up a whole website, according to Ran, it’s possible for an attacker to exploit cross-site scripting (XSS) flaws on trustworthy websites which have acquired access permissions from the user. The attacker can leverage the XSS flaws to deliver the attack code.

Google might not be entirely wrong

It’s unlikely that Google will push a bug fix as they don’t find Ran’s finding that alarming. Given the absence of the visual indicator on different Chrome variants, they might not be entirely wrong on their part. Also, the user plays a major role and has a choice of denying when asked for permissions.
visual indicator chrome bug
Got something to add, drop your thoughts and feedback inside comments.

Comments

Follow Us

WHAT'S HOT

Best Gaming Linux Distros You Need To Try In 2017

Gaming on Linux scene is improving each year with better hardware support and increasing support from game developers. Apart from established distros like Ubuntu and Arch Linux, gamers are using gaming Linux distros like Steam OS to get a better experience. The other It’s gaming operating systems are Sparky Linux – Gameover

111 Popular And Most Useful Webpages On The Internet

With the sheer myriad of websites available on it, the internet can often prove to be a pretty overwhelming place. As such it becomes really difficult to single out the useful websites from the needless ones. So today we bring to you a list of some of the most interesting and useful

Google’s Open Source DIY Kit Turns Your Raspberry Pi Into An AI Assistant

The latest edition of the MagPi magazine includes a DIY kit created by Google that can be used to create a custom Google Home device powered by Raspberry Pi. A user can take advantage of the Google Assistant SDK and Google Cloud Speech API to enable voice control in their projects.

Russian Hackers Used Kaspersky Software To Steal NSA Secrets And Code

According to a  report from WSJ , NSA’s classified data, which wasn’t supposed to leave the facility’s perimeter where a contractor worked, was stolen by Russian hackers. This incident