In Google Chrome, a visual indicator in the form of a red dot appears on the tab when a website records audio and video from the browser.
A Chrome bug was reported to Google by AOL web developer Ran Bar-Zik. He
told Bleeping Computer that he had discovered it while checking a website running WebRTC code. WebRTC allows websites to record streams for live streaming to other devices across the internet.
Due to the bug, websites can record audio and video content without showing the visual indicator. Still, the site requires user’s permission to access the microphone and webcam. So, the situation isn’t that serious. But it doesn’t mean it can’t be exploited.
According to Ran, the access permissions are given for a whole domain, so, it’s possible not to use the same tab to record streams. The attacker can show a pop-up (headless Chrome window) running the code to record audio and video streams. This pop-up won’t carry the red dot. To verify his claims, he created a test popup himself.
Demo pop-up can record audio when permissions are granted. No red dot.
The demo pop-up is included in the bug report Ran submitted to Google. After gaining permission, the pop-up records 20-second audio clips and provides a download link for the same. The code for his proof-of-concept is available as a zip file.
Contrary to what Ran believes, Google doesn’t consider the bug as a threat at all. That’s because the visual indicator isn’t present on all platforms where Chrome is available.
“This isn’t really a security vulnerability – for example, WebRTC on a mobile device shows no indicator at all in the browser. The dot is a best-first effort that only works on desktop when we have chrome UI space available. That being said, we are looking at ways to improve this situation,” Google replied.
Demo pop-up can’t record audio when permission not granted.
It might be possible that some people unknowingly grant access permissions and fail to recognize anything fishy due to the inconsistencies in the UI. This can lead to more sophisticated attacks.”Real attacks will not be very obvious,” said Ran when comparing these situations to the demo pop-up.
An evil pop-up might not even ask for a click like Ran’s demo. It can be as simple as an annoying advertisement which most of us don’t even realize is present alongside other browser windows until we close the web browser.
It’s possible for an attacker to time the pop-up according to their needs. It could possibly appear just for a moment to take a picture of the user or maybe even for hours.
Instead of setting up a whole website, according to Ran, it’s possible for an attacker to exploit cross-site scripting (XSS) flaws on trustworthy websites which have acquired access permissions from the user. The attacker can leverage the XSS flaws to deliver the attack code.
Google might not be entirely wrong
It’s unlikely that Google will push a bug fix as they don’t find Ran’s finding that alarming. Given the absence of the visual indicator on different Chrome variants, they might not be entirely wrong on their part. Also, the user plays a major role and has a choice of denying when asked for permissions.
Got something to add, drop your thoughts and feedback inside comments.
You married someone you trusted, and you gave yourself to that person. How could it be that the person you trusted with your life now acts like the person who could take your life? A quick scan of the Internet reveals that Twenty-five percent of adult women say they have experienced violence at
According to a report from WSJ , NSA’s classified data, which wasn’t supposed to leave the facility’s perimeter where a contractor worked, was stolen by Russian hackers. This incident
The Continue on PC feature is currently available to Windows Insiders, but it’ll arrive for regular users once the update starts landing on their PCs. If you’re running an Insider build, you can use the steps mentioned in this post to connect your phone to Windows 10 PC.
The core of the camera is AI engine which does the processing part and gets smarter over time. Clips can detect people and subjects using machine learning that happens on the system itself.
Comments
Post a Comment