Chrome bug that lets sites secretly record audio and video is not a flaw Google says

Pay close attention to what permissions you grant websites as you can't depend on the red recording indicator on a Chrome tab to alert you that a site is recording audio and video.


If your web browser was recording audio and video of you without any indication it was doing so, would you consider that invasion of privacy a security issue? Chrome doesn’t.

After AOL web developer Ran Bar-Zik discovered that a website can record audio and video without the red recording light appearing on the Chrome tab, he reported the bug

But since users are the crux of the problem, Google doesn’t classify it as a security flaw. That’s because before any audio or video recordings, a user has to give a site permission before it can access a user’s webcam or microphone.  

Yet Bar-Zik believes people will not be fully aware of what they are clicking on when granting permissions. The bug could be weaponized and “real attacks will not be very obvious,” he told Bleeping Computer.

Bar-Zik discovered the Chrome bug when he was on a site that ran WebRTC code. WebRTC (Web Real-Time Communication) allows real-time communications. In a browser, a site will ask the user to grant permissions to access a microphone or webcam. If the user gives permission for a site to stream audio and video, it can run JavaScript code to record the content before sending it to on to the WebRTC stream.

Bar-Zik’s bug report, however, states that the JavaScript can record without showing the red recording dot indicator on the Chrome tab. He explained, “After the permission is given, the site can listen to the user whenever” a hacker behind the site wants to.

To prove his point, Bar-Zik came up with a proof-of-concept demo showing how the attack would work. After clicking to grant permission to access audio/video components, a popup window opens, records 20 seconds of audio and then provides a download link for the recorded file.

Here’s how Google responded to the Chrome bug report:

This isn't really a security vulnerability - for example, WebRTC on a mobile device shows no indicator at all in the browser. The dot is a best-first effort that only works on desktop when we have chrome UI space available.

That being said, we are looking at ways to improve this situation.

Despite Google’s response, Bar-Zik still believes it is a security issue. Bleeping Computer reported:

For example, Bar-Zik argues that an attacker could use very small popups to launch the attack code. This code can use the camera for a millisecond to take a user's picture, or for hours, recording the user's movements or nearby audio.

If the user doesn't notice the popup in his toolbar, there's no visual indicator to cue him that someone is accessing his audio and video components. One of the sneakiest scenarios would be if the attacker disguised the popup as a mundane ad. If the user doesn't immediately close the ad's popup, an attacker remains with a surveillance channel opened on the user's PC.

On top of that, Bar-Zik said an attacker could skip the permission part altogether and instead “exploit cross-site scripting (XSS) flaws on legitimate websites that have already obtained access to the user's audio and video components. These XSS flaws could be used to deliver the attack code.”

Whether you agree with Google or with Bar-Zik about if this a Chrome bug, the best way to protect yourself is to pay attention to what permissions you’re granting websites and even extensions. If you have a webcam, please place a sticky note or something else to cover the camera unless you are using it.

On a personal note, thank you for reading Security Is Sexy for the last eight years. Computerworld, a part of IDG, will reportedly not be covering security issues from here on out. Keep an eye on my Twitter feed as I may launch a site where I’ll continue to cover security/hacking/cybercrime/surveillance/privacy – issues I care deeply about – and more tech stuff that catches my attention. Again, thank you for reading and buh-bye for now.

Copyright © 2017 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon