Chrome Flaw Allows Sites to Secretly Record Audio/Video Without Indication


What if your laptop is listening to everything that is being said during your phone calls or other people near your laptop and even recording video of your surrounding without your knowledge?

Sounds really scary! Isn’t it? But this scenario is not only possible but is hell easy to accomplish.

A UX design flaw in the Google’s Chrome browser could allow malicious websites to record audio or video without alerting the user or giving any visual indication that the user is being spied on.

AOL developer Ran Bar-Zik reported the vulnerability to Google on April 10, 2017, but the tech giant declined to consider this vulnerability a valid security issue, which means that there is no official patch on the way.

How Browsers Works With Camera & Microphone

Before jumping onto vulnerability details, you first need to know that web browser based audio-video communication relies on WebRTC (Web Real-Time Communications) protocol – a collection of communications protocols that is being supported by most modern web browsers to enable real-time communication over peer-to-peer connections without the use of plugins.

However, to protect unauthorised streaming of audio and video without user’s permission, the web browser first request users to explicitly allow websites to use WebRTC and access device camera/microphone.

Once granted, the website will have access to your camera and microphone forever until you manually revoke WebRTC permissions.

In order to prevent ‘authorised’ websites from secretly recording your audio or video stream, web browsers indicate their users when any audio or video is being recorded.

“Activating this API will alert the user that the audio or video from one of the devices is being captured,” Bar-Zik wrote on a Medium blog post. “This record indication is the last and the most important line of defense.”

In the case of Google Chrome, a red dot icon appears on the tab, alerting users that the audio or video streaming is live.

Read more…