A bug within Google Chrome allows websites to record audio and video without anyone knowing it is going on.
The discovery was made by an AOL web developer Ran Bar-Zik.
While the bug may seem of massive proportions, it actually isn’t all that bad because the malicious website still needs to get the user’s permission to access the audio and video components. Therefore, if the user doesn’t grant the website the right to listen in, it won’t do that, according to a report with Bleeping Computer.
However, the problem is there and there are ways to weaponize the vulnerability.
The discovery occurred as the AOL developer was dealing with a website running WebRTC code, which is the protocol for streaming audio and video in real time.
The recording doesn’t even have to run on the original tab where the permission was granted originally since it covers the entire domain, according to the report. The developer figured he could start a popup in Chrome where he could run the code to record audio and video. Chrome shows a red circle and dot icon when a page is recording you, but since this is a popup, or a headless window, it doesn’t have a tab bar, so you’ll never actually see it.
The bug report has been submitted to Google, but the company doesn’t consider it to be a security issue.
“This isn’t really a security vulnerability – for example, WebRTC on a mobile device shows no indicator at all in the browser,” Google said. “The dot is a best-first effort that only works on desktop when we have chrome UI space available. That being said, we are looking at ways to improve this
Google won’t be pushing an update anytime soon since it doesn’t consider it to be a critical security issue. Therefore, users should pay attention to any prompts you get while on Chrome, and don’t grant just any website permissions.