Imagine: You are furiously working on a project report, when, suddenly a pop-up appears, which asks you for your permission to access video and audio component. You are anyways opening tons of websites for the research work, and without even reading the terms and conditions, you say yes, thinking, what’s the big deal.
But, unknown to you, a shady, headless popup has also opened after you granted permission, which is secretly and discreetly recording video and audio from the camera of your laptop.
And it goes on for hours, without you being aware.
If you are imagining this scenario, then be aware; because this is no longer an imagination. This has become a reality.
And the worst part: Google is in a denial mode regarding this issue, and has refused to patch this bug because they don’t consider it as a security vulnerability.
Secret Recording Of Your Video/Audio: How Scary Is That?
This bug has been discovered by Ran Bar-Zik, who is a web developer at AOL.
While dealing with a website that ran WebRTC code, he discovered this bug and immediately reported to Google.
Here is the report of this bug discovery.
WebRTC is a protocol which allows streaming of audio and video over the Internet, using browsers such as Chrome.
Now, WebRTC requires a permission, and when this permission is granted, it executes a JavaScript code which enables live video or audio streaming via browsers.
But here is the problem: When such live streaming of video/audio happens in Chrome, a small red dot appears on that tab, where that streaming is currently happening.
And the bug which has been discovered by Ran hides that tab with the red dot on which live streaming of audio/video is happening. This means that the user is not aware of that recording, as he is not able to view that red dot tab.
Why Is Google In Denial Mode?
When Ran submitted the bug report, Google responded this way:
“This isn’t really a security vulnerability – for example, WebRTC on a mobile device shows no indicator at all in the browser. The dot is a best-first effort that only works on the desktop when we have chrome UI space available. That being said, we are looking at ways to improve this situation.”
As we can see from the response, Google doesn’t consider this bug as a security vulnerability, as it is assuming that the first stage of permission granting mechanism is enough to stop its exploitation.
But as Ran explained, and as evident in our example in the beginning, due to UI fatigue, 80% of the users don’t read or understand the terms and conditions attached with the permission, and unknowingly, can allow the permission.
Ran has also developed a test scenario, wherein users can see how this bug can be exploited to discreetly record video, once a harmless permission has been given.
This test shows us that once the permission to access audio/video component has been provided, the bug allows the recording to start from any other tab as well. And exploiters usually open up a headless tab, which has no visual indicator to show that the live recording is right now happening.
Do you think that Google should consider this as a security vulnerability, and take some action to patch this bug? Do let us know by commenting right here!