AOL web developer Ran Bar-Zik has uncovered a Google Chrome bug that allows websites to record audio and video without the user’s knowledge or any signs of the activity. Google however doesn’t consider the bug to be a critical security issue and doesn’t plan to do anything to patch it, at least not any time soon.
Chrome Bug Allows Websites to Record Audio and Video, Google Say Issue Isn’t Security-Related
What is the bug all about? If a malicious website exploits the bug it will still need the user’s permission to access the audio and video components. If the user does not permit the website the right, nothing will happen. Even though the flaw is not that serious, there still may be ways to exploit it in attacks.
How does the bug work? The researcher came across the bug while working on a website running WebRTC code – the protocol for streaming audio and video in real time. The researcher says that if the website is granted permission to access video and audio components, the website can run JavaScript code to record audio and video. This content can later be sent over the web to other participants of the stream.
As explained by the researcher’s bug report:
After getting the audio\video usage permissions for WebRTC. JS code can record video\audio without showing the graphical red dot in the tab when the record process is running. i.e. – after the permission is given the site can listen to the user whenever he want to. It is done because JS `window.open` method does not give visual indication on record init.
The report indicates that the recording doesn’t have to run on the tab where the permission was initially granted because it covers the whole domain. Then the researcher found out he could start a pop up in the browser to run the code to record audio and video. Chrome will then display a red circle and a dot icon in a case the website is recording. Unfortunately, the popup is a headless window with no tab bar, and as such the user won’t see it.
As mentioned in the beginning, Google was informed about the Chrome bug but since the company doesn’t consider the bug serious enough, it won’t deal with it for now.
“This isn’t really a security vulnerability – for example, WebRTC on a mobile device shows no indicator at all in the browser. The dot is a best-first effort that only works on desktop when we have chrome UI space available. That being said, we are looking at ways to improve this situation,” Google replied.