Softpedia >News >Security
Softpedia Homepage   

Chrome Bug Lets Sites Record Audio and Video Without Indicating

Unless you allow the site to record you, there's no danger

May 30, 2017 13:14 GMT  ·  By
Chrome has a bug that might annoy you
   Chrome has a bug that might annoy you

A bug within Google Chrome allows websites to record audio and video without any indicators regarding this activity. 

The discovery was made by an AOL web developer by the name of Ran Bar-Zik, Bleeping Computer reports. While the bug may seem of massive proportions, it actually isn't all that bad because the malicious website still needs to get the user's permission to access the audio and video components. Therefore, if the user doesn't grant the website the right to listen in, it won't do that.

However, the problem is there and there are ways to weaponize the vulnerability.

How it works

The discovery was reportedly made as the AOL developer was dealing with a website running WebRTC code, which is the protocol for streaming audio and video in real time.

If permission is granted for the website to access the audio and video components, most likely unknowingly as the user tries to dismiss the notification, the website can run JavaScript code that records audio or video content. The content can then be sent over the Internet to the other participants to the stream.

According to the report, the recording doesn't even have to run on the tab where the permission was granted originally since it covers the entire domain. The developer figured he could start a popup in Chrome where he could run the code to record both audio and video. Chrome shows a red circle and dot icon when a page is recording you, but since this is a popup, or a headless window, it doesn't have a tab bar, so you'll never actually see it.

The bug report has been submitted to Google, but the company doesn't consider it to be a security issue. "This isn't really a security vulnerability - for example, WebRTC on a mobile device shows no indicator at all in the browser. The dot is a best-first effort that only works on desktop when we have chrome UI space available. That being said, we are looking at ways to improve this situation," Google said on the matter.

That being said, Google won't be pushing an update anytime soon since it doesn't consider it to be a critical security issue. Therefore, you should probably start paying extra attention to any prompts you get while on Chrome, and don't grant just any website permissions.