Google Chrome Bug Lets Sites Record Audio and Video Without a Visual Indicator

New submitter aafrn writes: "Ran Bar-Zik, a web developer at AOL, has discovered and reported a bug in Google Chrome that allows websites to record audio and video without showing a visual indicator," reports BleepingComputer. "The bug is not as bad as it sounds, as the malicious website still needs to get the user's permission to access audio and video components, but there are various ways in which this issue could be weaponized to record audio or video without the user's knowledge. The bug's central element is a 'red circle and dot' icon that Chrome usually shows when recording audio or video streams." Bar-Zik discovered that if the JavaScript code that does the actual audio and video recording is launched inside a small popup, the icon is not shown anymore. This opens the door for various types of scenarios, where an attacker that has tricked a user into granting him permission to record audio and video records user data but when the user doesn't expect this (no visual indicator). For example, an attacker could disguise audio/video recording code inside popup ads. If the user doesn't close the popup, the popup continues to stream audio and video from the victim's house. Google declined to consider this a security bug.

A bug.. or is it?

[Anonymous Coward]

"Google declined to consider this a security bug."

For companies like Google, this is a feature, not a bug.

Re:A bug.. or is it?

[TWX]

Makes me wonder if they got one of those national security letters warning them against fixing the vulnerability that allows this to happen.

Re:

[Anonymous Coward]

Makes me wonder if they got one of those national security letters warning them against fixing the vulnerability that allows this to happen.

No, but only because they previously already got one directing them to create it, and many others, in the first place. It's Googles entire purpose for existence.

Re:A bug.. or is it?

[Namarrgon]

Because the user still has to explicitly grant permission for mic/camera access first. There is no unauthorized recording, so no security breach.

The issue is that Chrome's red-dot recording indicator UI can get hidden. This isn't ideal of course, but isn't unique either - there are many cases where this might not show, such as in fullscreen mode or in mobile browsers.

Re:

[Namarrgon]

If you don't trust Google to not abuse the ability to record you, why did you give it explicit permission in the first place (or even install Chrome)?

If you think showing a small red dot somewhere on the screen counts as "security", then I assume you also never take your eyes off the screen, or leave a website open when your back is turned, or cover up the browser with another window, or let your screen go blank, or have enough tabs that there's no room to display the indicator, or use fullscreen mode, etc

Re:

[viperidaenz]

I haven't tested it but the draft covering this API says the browser should require a permission that covers both origins, so you'd need to grant permission for the combination of site x + 3rd party

That's need in the draft since December 2015

If that's not how it works in Chrome, then it's a bug

Re:

[WaffleMonster]

Because the user still has to explicitly grant permission for mic/camera access first. There is no unauthorized recording, so no security breach.

Perpetual grant from a domain that need not match domain of site user is actually visiting.

Re:

[Namarrgon]

If it's the case that permission for one domain allows recording by a different domain, that's an entirely different issue, and much more serious for security.

Re: A bug.. or is it?

[Reverend Green]

Google is always watching.

Re:

[someone1234]

Still better than file://c:/$mft/123

Re:the real bug

[viperidaenz]

Google/Phone manufacturer already has access to the camera on your phone.
Who do you think makes the Camera app? That's an app you're pretty much guaranteed to require the Camera and Audio permissions and it pre-installed. It's probably also got location permissions as well for geo-tagging.
If they wanted to spy on you, that's the easiest way to do it.

Re:

[crtreece]

Is your phone running 7.x? I have a new phone that I loaded LineageOS 14.1 (currently based on Android 7.1.2) on, and it's got the per-app permission controls that are incorporated directly into android now. Previously you had to load something like XPrivacy to get that level of permission selection.

Re:

[viperidaenz]

What is there to withhold?
It's simply recording video in a popup after the user has explicitly granted the domain video permissions.
It's not a bug.

I agree, it's a non-issue

[viperidaenz]

It's only impacting Chrome on a PC, not Android.
Most cameras on PC's have an activity LED that's going to show up when it's active. This offers no way to bypass that LED.
The "red dot" has always been a "best efforts" indicator, since it's not visible to a user if they have too many tabs open or the browser is running in full-screen mode, same with the "audio playing" indicator.

The popup that is recording video still has the camera icon in its address bar.
The permission popup is non-modal so doesn't stop you accessing the page, lowering the risk of "UI fatigue" induced accepting. It's got no hot-key bound to "Accept". Escape will block the permission.

You could argue full-screen mode is an even worse security bug, since it hides the whole address bar, including HTTPS issues. All you have to do is trick the user into pressing F11. No broken HTTPS icon, no recording icon, no audio playing icon, no URL is shown.

Re:

[WaffleMonster]

It's only impacting Chrome on a PC, not Android.

So only hundreds of millions of users. No biggie.

Most cameras on PC's have an activity LED that's going to show up when it's active. This offers no way to bypass that LED.

Who besides yourself is talking about Google chrome cracking camera drivers or firmware to disable LEDs? Where are the Microphone LEDs? Keeping in mind microphones have been successfully exploited as proxies for key loggers.

The "red dot" has always been a "best efforts" indicator, since it's not visible to a user if they have too many tabs open

LOL "It's broke anyway"

The permission popup is non-modal so doesn't stop you accessing the page, lowering the risk of "UI fatigue" induced accepting. It's got no hot-key bound to "Accept". Escape will block the permission.

The page knows you blocked or didn't yet accept the permission and is free to do whatever it pleases with that knowledge. The only possible user friendly option is to LIE to the application.

You could argue full-screen mode is an even worse security bug, since it hides the whole address bar, including HTTPS issues.

"It's broke anyway" v.

Re:

[donaldm]

Hmm! Let's see:

1. Camra? - No!
2. Microphone? - No!
3. Operating System? - No Microsoft OS!
4. Web browser? - Chrome, Firefox, QupZilla and anything I feel like except IE or Edge.

I can connect a camera and microphone via USB if I really do need to use them (which I don't). I think I am pretty much OK. :-)

Re:

[AHuxley]

Some reflection back on "This offers no way to bypass that LED." issue on the Apple side over the years.
"OverSight: Exposing Spies on macOS"
https://www.youtube.com/watch?... [youtube.com]
11 mins in for the led cam issues over the years.

Re:

[DontBeAMoran]

Rip off the camera and microphone hardware from the computer. It's the only way to be sure.

... short of nuking the computer from orbit.

A popup window? Really?

[MobyDisk]

Unsolved mystery since 1995: Why do web browsers support popup windows? It might be the worst idea since the <marquee> tag.

7 mentions of Microsoft and 10 of Windows

[najajomo]

That's a record even for the Microsoft slashdot.

AOL

[spudnic]

AOL has web developers? AOL has employees?