The bug is not as bad as it sounds, as the malicious website still needs to get the user’s permission to access audio and video components, but there are various ways in which this issue could be weaponized to record audio or video without the user’s knowledge.
The bug’s central element is a “red circle and dot” icon that Chrome usually shows when recording audio or video streams.
Bar-Zik told Bleeping Computer he discovered the bug at work while dealing with a website that ran WebRTC code.
WebRTC is a protocol for streaming audio and video content over the Internet in real time. In order to stream audio or video content, a user must first grant a website permission to access his audio and video components.
When a website receives this permission, it can run JavaScript code that records audio or video content, before sending it over the Internet to the other participants of an WebRTC stream. This recording process is done via the JavaScript-based MediaRecorder API.
