Normally users have to give permission to an online service to use their camera, their location or to show notifications. When the permission to access the microphone and camera is given and a recording is being made, Chrome and Firefox will show a visual indicator that indicates that a recording is made.
All this should prevent that an user is unaware that audio or video is recorded and in case the user accidently gave permission, the user can revoke that permission.
But because the recording permission looks similar to the other permissions and because it’s possible to hide the recording indicator, malicious websites might make secretive recordings of its users, Bar-Zik writes.
The issue is partly because many users grant permissions to websites without even properly reading the permission dialog. “A lot of sites asks these and a lot of users give it without further thinking,” Bar-Zik writes in a blog explaining the issue.
The security researcher has reported the issue to Google and has created a demonstration page where you can see how it works. While his demonstration isn’t sophisticated, attackers could improve on it as Bar-Zik explains, “[a] real attack will not be very obvious of course. It can use very small pop-under and submit the data anywhere and close it when the user is focusing on it. It can use the camera for millisecond to get your picture. It can (In theory) use XSS to ride on legitimate sites and their permissions. The sky is the the limit here.”
Google is aware of Bar-Zik’s report but doesn’t consider it a security issue. A developer of the search giant argues in a post on the Chromium bug tracker that on mobile device there is no warning at all in the browser and that the visual indicator is only visible on the desktop when there is space in the user interface.
Nevertheless, the developer ends his post stating that the it will look how it can improve on the situation.