Chrome Bug Allows Sites to Record Audio and Video Without a Visual Indicator

Chrome Bug Allows Sites to Record Audio and Video Without a Visual Indicator

June 15th, 2017
No Comments

Ran Bar-Zik, a web developer at AOL, has discovered and reported a bug in

Google Chrome that allows websites to record audio and video without

showing a visual indicator.


														
							

The bug is not as bad as it sounds, as the malicious website still needs to get the user’s permission to access audio and video components, but there are various ways in which this issue could be weaponized to record audio or video without the user’s knowledge.

The bug’s central element is a “red circle and dot” icon that Chrome usually shows when recording audio or video streams.WebRTC is a protocol for streaming audio and video content over the Internet in real time. In order to stream audio or video content, a user must first grant a website permission to access his audio and video components.

When a website receives this permission, it can run JavaScript code that records audio or video content, before sending it over the Internet to the other participants of an WebRTC stream. This recording process is done via the JavaScript-based MediaRecorder API.

Bar-Zik discovered that the code that does the recording doesn’t necessarily have to run on the original tab where the permission was granted.

Because the permission to access audio and video data was granted for an entire domain, the Israeli developer realized he could start a headless Chrome window (popup) where he could run the code to record audio and video.

Read more

\devworx in print
  • IBM Open Platform with Apache Hadoop Get access to all data, in Hive, HBase or HDFS; within a single query (Big SQL). Let Bluemix™ enable you to play with IBM’s Analytics for Hadoop. Try it now.
    Click to know more
  • \devworx contests
      • No contests are currently running.