Your one-stop web resource providing safety and security information to manufacturers

A bug within Google Chrome allows websites to record audio and video without anyone knowing it is going on.

The discovery was made by an AOL web developer Ran Bar-Zik.

Tor Moves to Cut Guard-Capture Attacks
Security Updates for Tor Browser
Chrome Updated with Security Fixes
Firefox Zero Day Mitigated

While the bug may seem of massive proportions, it actually isn’t all that bad because the malicious website still needs to get the user’s permission to access the audio and video components. Therefore, if the user doesn’t grant the website the right to listen in, it won’t do that, according to a report with Bleeping Computer.

However, the problem is there and there are ways to weaponize the vulnerability.

Cyber Security

The discovery occurred as the AOL developer was dealing with a website running WebRTC code, which is the protocol for streaming audio and video in real time.

If permission is granted for the website to access the audio and video components, most likely unknowingly as the user tries to dismiss the notification, the website can run JavaScript code that records audio or video content. The content can then go out over the Internet to the other participants of the stream.

The recording doesn’t even have to run on the original tab where the permission was granted originally since it covers the entire domain, according to the report. The developer figured he could start a popup in Chrome where he could run the code to record audio and video. Chrome shows a red circle and dot icon when a page is recording you, but since this is a popup, or a headless window, it doesn’t have a tab bar, so you’ll never actually see it.

The bug report has been submitted to Google, but the company doesn’t consider it to be a security issue.

“This isn’t really a security vulnerability – for example, WebRTC on a mobile device shows no indicator at all in the browser,” Google said. “The dot is a best-first effort that only works on desktop when we have chrome UI space available. That being said, we are looking at ways to improve this

Google won’t be pushing an update anytime soon since it doesn’t consider it to be a critical security issue. Therefore, users should pay attention to any prompts you get while on Chrome, and don’t grant just any website permissions.

Pin It on Pinterest

Share This