Chrome ‘bug’ allows websites to secretly record video and audio of visitors

Posted 30 May 2017 18:50 CEST by Jan Willem Aldershoff

A bug (or design flaw) in Google Chrome allows websites to record audio and video without any visual indication in the browser. The issue was discovered by Israeli security researcher Ran Bar-Zik.

 

Normally users have to give permission to an online service to use their camera, their location or to show notifications. When the permission to access the microphone and camera is given and a recording is being made, Chrome and Firefox will show a visual indicator that indicates that a recording is made.

All this should prevent that an user is unaware that audio or video is recorded and in case the user accidently gave permission, the user can revoke that permission.

But because the recording permission looks similar to the other permissions and because it’s possible to hide the recording indicator, malicious websites might make secretive recordings of its users, Bar-Zik writes.

The issue is partly because many users grant permissions to websites without even properly reading the permission dialog. “A lot of sites asks these and a lot of users give it without further thinking,” Bar-Zik writes in a blog explaining the issue.

The security researcher has reported the issue to Google and has created a demonstration page where you can see how it works. While his demonstration isn’t sophisticated, attackers could improve on it as Bar-Zik explains, “[a] real attack will not be very obvious of course. It can use very small pop-under and submit the data anywhere and close it when the user is focusing on it. It can use the camera for millisecond to get your picture. It can (In theory) use XSS to ride on legitimate sites and their permissions. The sky is the the limit here.”

Google is aware of Bar-Zik’s report but doesn’t consider it a security issue. A developer of the search giant argues in a post on the Chromium bug tracker that on mobile device there is no warning at all in the browser and that the visual indicator is only visible on the desktop when there is space in the user interface.

Nevertheless, the developer ends his post stating that the it will look how it can improve on the situation.



Myce.com settings

Several settings at Myce.com can be changed, they are stored in cookies, which means they will be reset if you clear Myce.com cookies

Background

Change the background to a plain color or trianglified image (similar to the default image)

No tracking features

At Myce most social media feature are done server side and impose no privacy risk to the visitor when not used. Several features use Javascript with you can turn off here

Layout

Switch to the List layout for an index with chronologycally listed news items or Grid layout for a block based layout. To see the change you need to reload the page

×