Vulnerability in Chrome allows websites to secretly record audio and video

May 31, 2017 | 3:42 pm

Published by | Payal Gautam

Israeli developer Ran Bar-Zik (Ran Bar-Zik) discovered a vulnerability in Google Chrome browser that allows web-sites discreetly record video and audio.

The problem is not as serious as it seems, because the sites need user permission to access the audio and video components, but it can adopt attackers to record video and audio content without the user’s knowledge.

Bar-Zik discovered a flaw in the process of working with a site that uses Internet protocol WebRTC. This technology is designed to provide streaming data transfer between the browser or other app that supports this technology for point-to-point. To transfer audio and video user must provide a website permission to access the respective components. After receiving permission, the site runs the JavaScript code that records audio and video. The researchers found that the code can be executed not only in the original tab, where permission was granted, but also in the sub-window. As a rule, Chrome shows icon in the form of a circle with a red dot for recording audio and video, but the icon is not displayed in an auxiliary window, ie the user does not know there is a record or not.

The expert informed Google about the problem, but the company said they did not believe her vulnerability.

“In fact, this is not a security vulnerability – for example, WebRTC on a mobile device does not display an indicator in the browser. Point [icon – approx. Ed.] only works in desktop version if there is space available in the user’s Chrome interface. With this in mind, we are considering ways to improve the situation “, – noted at Google.

However, Bar-Zik does not agree with the view tehnogiganta. According to him, a large number of users give permission, not paying attention to what exactly agree. If a user accidentally or inadvertently provide website permission to access the video and audio components, attackers can carry out more complex attacks. For example, an attacker can use a small pop-up windows to run malicious code to gain access to the camera and can take photos or record the movements of the user without his knowledge.