Chrome might have a lurking bug that lets websites record your audio and video content without you even knowing.
That is, Chrome usually has a red indicator being displayed in a tab where the video content is being recorded. However, according to a researcher, such an indication may not always be present.
The flaw: Ran Bar-Zik is a web developer who works at AOL and is the person who found the flaw in Google Chrome.
According to Bar-Zik, the bug allows a website to record video and audio content once a user grants the website permission to do so. Nevertheless, there can sometimes be no indication that such recording is taking place.
Although the bug is quite harmless, the researcher, however, claims that it can be exploited for more sophisticated attacks, reports BleepingComputer.
The red circle: When a website is recording a video or audio, a red circle shows up in a tab.
This tab belongs to the window where the code is being executed to facilitate the recording.
However, Bar-Zik found that this may not be the case. This is because such content only starts to get recorded once a user grants permission to do so.
This may mean that a small pop-up window may be executing the code for recording audio and video content. Since a pop-up window does not have a tab, the red circle will not be shown and hence the user may be unaware that his/her video or audio is being recorded.
This can also take place within a very small pop-up that can go unnoticed by the user.
What’s the issue? You may be wondering as to why the researcher is so serious about the flaw. Essentially, the researcher believes that users sometimes accidentally grant permission to various websites to record video and audio content.
They can do so without even realizing what the permission was about and hence not know that it was for recording video and audio content.
As such, attackers may exploit the bug by tricking the user to grant permission and start recording a user’s video and audio to possibly perform a sort of secret espionage on the user.
Furthermore, Bar-Zik says that the attacker can start recording even without having a website ask for permission in the first place.
They do so by exploiting yet another flaw associated with cross-site scripting.
Issue reported to Google:
The issue was immediately reported to Google after it was discovered. However, Google replied that the issue does not pose a security threat and that the red dot does not appear on mobile devices anyway.
Furthermore, Google says that the user is required to give permission and it is the user’s responsibility to read what the permission is about before granting it.
This applies especially to those who are in newer versions of Chrome since the red dot indication is not available in them.
As such, it is the user’s responsibility to avoid granting permissions to unknown websites and thereby remain safe from such vulnerabilities.