Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Bug Chrome Communications Data Storage Google Software The Internet

Google Chrome Bug Lets Sites Record Audio and Video Without a Visual Indicator (bleepingcomputer.com) 36

New submitter aafrn writes: "Ran Bar-Zik, a web developer at AOL, has discovered and reported a bug in Google Chrome that allows websites to record audio and video without showing a visual indicator," reports BleepingComputer. "The bug is not as bad as it sounds, as the malicious website still needs to get the user's permission to access audio and video components, but there are various ways in which this issue could be weaponized to record audio or video without the user's knowledge. The bug's central element is a 'red circle and dot' icon that Chrome usually shows when recording audio or video streams." Bar-Zik discovered that if the JavaScript code that does the actual audio and video recording is launched inside a small popup, the icon is not shown anymore. This opens the door for various types of scenarios, where an attacker that has tricked a user into granting him permission to record audio and video records user data but when the user doesn't expect this (no visual indicator). For example, an attacker could disguise audio/video recording code inside popup ads. If the user doesn't close the popup, the popup continues to stream audio and video from the victim's house. Google declined to consider this a security bug.
This discussion has been archived. No new comments can be posted.

Google Chrome Bug Lets Sites Record Audio and Video Without a Visual Indicator

Comments Filter:
  • A bug.. or is it? (Score:5, Insightful)

    by Anonymous Coward on Tuesday May 30, 2017 @06:23PM (#54514415)

    "Google declined to consider this a security bug."

    For companies like Google, this is a feature, not a bug.

    • by TWX ( 665546 ) on Tuesday May 30, 2017 @06:27PM (#54514435)

      Makes me wonder if they got one of those national security letters warning them against fixing the vulnerability that allows this to happen.

      • by Anonymous Coward

        Makes me wonder if they got one of those national security letters warning them against fixing the vulnerability that allows this to happen.

        No, but only because they previously already got one directing them to create it, and many others, in the first place. It's Googles entire purpose for existence.

    • Re:A bug.. or is it? (Score:5, Interesting)

      by Namarrgon ( 105036 ) on Tuesday May 30, 2017 @06:59PM (#54514557) Homepage

      Because the user still has to explicitly grant permission for mic/camera access first. There is no unauthorized recording, so no security breach.

      The issue is that Chrome's red-dot recording indicator UI can get hidden. This isn't ideal of course, but isn't unique either - there are many cases where this might not show, such as in fullscreen mode or in mobile browsers.

      • Because the user still has to explicitly grant permission for mic/camera access first. There is no unauthorized recording, so no security breach.

        Perpetual grant from a domain that need not match domain of site user is actually visiting.

        • If it's the case that permission for one domain allows recording by a different domain, that's an entirely different issue, and much more serious for security.

    • Google is always watching.

    • Still better than file://c:/$mft/123

  • by viperidaenz ( 2515578 ) on Tuesday May 30, 2017 @07:01PM (#54514561)

    It's only impacting Chrome on a PC, not Android.
    Most cameras on PC's have an activity LED that's going to show up when it's active. This offers no way to bypass that LED.
    The "red dot" has always been a "best efforts" indicator, since it's not visible to a user if they have too many tabs open or the browser is running in full-screen mode, same with the "audio playing" indicator.

    The popup that is recording video still has the camera icon in its address bar.
    The permission popup is non-modal so doesn't stop you accessing the page, lowering the risk of "UI fatigue" induced accepting. It's got no hot-key bound to "Accept". Escape will block the permission.

    You could argue full-screen mode is an even worse security bug, since it hides the whole address bar, including HTTPS issues. All you have to do is trick the user into pressing F11. No broken HTTPS icon, no recording icon, no audio playing icon, no URL is shown.

    • It's only impacting Chrome on a PC, not Android.

      So only hundreds of millions of users. No biggie.

      Most cameras on PC's have an activity LED that's going to show up when it's active. This offers no way to bypass that LED.

      Who besides yourself is talking about Google chrome cracking camera drivers or firmware to disable LEDs? Where are the Microphone LEDs? Keeping in mind microphones have been successfully exploited as proxies for key loggers.

      The "red dot" has always been a "best efforts" indicator, since it's not visible to a user if they have too many tabs open

      LOL "It's broke anyway"

      The permission popup is non-modal so doesn't stop you accessing the page, lowering the risk of "UI fatigue" induced accepting. It's got no hot-key bound to "Accept". Escape will block the permission.

      The page knows you blocked or didn't yet accept the permission and is free to do whatever it pleases with that knowledge. The only possible user friendly option is to LIE to the application.

      You could argue full-screen mode is an even worse security bug, since it hides the whole address bar, including HTTPS issues.

      "It's broke anyway" v.

      • by donaldm ( 919619 )

        Hmm! Let's see:

        1. Camra? - No!
        2. Microphone? - No!
        3. Operating System? - No Microsoft OS!
        4. Web browser? - Chrome, Firefox, QupZilla and anything I feel like except IE or Edge.

        I can connect a camera and microphone via USB if I really do need to use them (which I don't). I think I am pretty much OK. :-)

    • by AHuxley ( 892839 )
      Some reflection back on "This offers no way to bypass that LED." issue on the Apple side over the years.
      "OverSight: Exposing Spies on macOS"
      https://www.youtube.com/watch?... [youtube.com]
      11 mins in for the led cam issues over the years.
  • Unsolved mystery since 1995: Why do web browsers support popup windows? It might be the worst idea since the <marquee> tag.

  • That's a record even for the Microsoft slashdot.
  • by spudnic ( 32107 )

    AOL has web developers? AOL has employees?

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...