Imagine if someday we got to know that our web browser is recording all what we say without our knowledge?
It was really scary to discover such a thing. And the strange thing about this is that it’s actually possible.
A UX design bug in the Google’s Chrome browser allows malicious websites to record audio or video without giving any indication that the user is being spied on.
This vulnerability was reported to Google by AOL developer Ran Bar-Zik on April 10, 2017.
There are yet no reports of any privacy breach due to the bug, as the malicious website still needs user’s permission to access audio and video components. But there are numerous ways in which this
shortcoming could be modified to record audio or video without the user’s knowledge.
How can you detect that your data is being recorded?
A red recording dot appears in place of the volume icon when either your webcam or microphone are being accessed, to indicate that the streaming is live.
The bug was discovered when Ran Bar-Zik tried to open a website that ran WebRTC code. The code that allows recording doesn’t need to run always on Google Chrome tab as the permission is already granted. The researcher says it is a threat to security, as users many time grant permission even without reading and/or understanding what they are agreeing too. This will open ways for hackers to attack.
What is WebRTC code?
WebRTC (Web Real-Time Communications) is a technology which enables Web applications and sites to capture and optionally stream audio and/or video media, as well as to exchange arbitrary data between browsers without requiring an intermediary hardware or device.
How browser works with camera & microphone
To protect unauthorized video and audio streaming without user permission, Chrome browser requests users to explicitly allow websites to use WebRTC.
Once the access is granted the website has access to camera and microphone, thus can record all your activity. This can only stop when you manually revoke WebRTC permissions.
You can prevent the website from recording your audio and video stream by clicking on the red button (if visible).
How websites can secretly spy on you?
The researcher who reported the bug said that authorize websites can start recording audio and video secretly without the red dot icon giving no indication of streaming.
Chrome is not designed to display a red dot indication on headless windows.
Even though Google is not treating this as security vulnerability, but this is indeed one that needs to be taken care of. The red circle and dot icon that we have discussed is not available in all Chrome versions. This bug is a loophole, which could be exploited by cybercriminals anytime. To stay protected, users must be watchful of what permissions they are granting permissions to websites.
Normally users grant permission to an online service to use their camera, their location or to show notifications, without even thinking much. As the recording permissions looks similar to the other permissions it does not ring any bells.
But this creates a greater risk for users, as it’s possible to hide the recording indicator, malicious websites may make secretive recordings.
This bug is increasing the fear of a real cybercrime attack that will not be as obvious and are devious in effect. Hackers can use it and do a lot with all the information without you even knowing a thing. They can use camera to get your picture, mic to record your voice and use this to exploit you both financially and mentally.
We cannot do anything much about it for now, but can be cautious before granting access or accepting any permissions while surfing the internet.