AOL developer Ran Bar-Zik told Google on April 10, 2017 that a Google Chrome vulnerability allowed websites to record video and audio from users without their knowledge.
Google’s reply: “This isn’t really a security vulnerability.”
If that surprises you, as it did us, read on.
How Does the Vulnerability Work?
Google Chrome supports an open standard of protocols called WebRTC (Web Real-Time Communications) that allow peer-to-peer connections to use real-time communications like chat and voice without the need for a plugin.
As a first level of security, a website must first gain your permission in order to have access to streaming video or audio from your hardware. But once it has your permission, the access is perpetual for that website.
To stop websites from making illicit recordings after gaining access, there’s a red dot that appears on your browser tab whenever media is being recorded by a website. That’s where the problem begins.
Now for the hack.
How does it work? The fact is, Google Chrome has not been designed to display the red dot on headless windows – nor on mobile Chrome. It’s a minor manipulation of the UX, but site developers can use it to mount various types of attacks on users.
Why Does Google Think that This is Not a Flaw?
According to Google, this is not a vulnerability because the red dot is a “best-first effort that only works on the desktop when we have chrome UI space available.”
That means mobile browsers won’t even show you the red dot, since the “Chrome UI space” would not be available there.
Flaw or Not, It’s a Major Privacy Issue
Whether or not Google considers this Google Chrome quirk to be a flaw or not is not really the question here. The real question is one of privacy. If a malicious website is targeting you as a user, Bar-Zik says it can do this:
“Real attack will not be very obvious of course. It can use very small pop-under and submit the data anywhere and close it when the user is focusing on it. It can use the camera for millisecond to get your picture. In Mobile, there is not such visual indication.”
That’s a scary proposition. Any site that poses as a genuine website and gains permission just once can use this flaw in perpetuity, and you won’t even know about it.
To be fair to Google, they do recognize that this is not the ideal setup: “we are looking at ways to improve this situation.”
Though this flaw is found to work on Google Chrome, Bar-Zik says that it could potentially work on other browsers that support the WebRTC protocol, which is basically most popular browsers like Microsoft Edge, Mozilla Firefox, Opera and so on.
Is WebRTC the Real Problem Here?
No, it is not. However, the way it is implemented could offer hackers various ways to exploit the technology, as is the case with this Google Chrome flaw.
WebRTC isn’t going away because of a privacy issue arising from implementation. Google will eventually find a better way to implement WebRTC on Google Chrome, because these protocols are what allow things like media streaming, desktop sharing, video conferencing and other real-time communications, without the need for bulky plug-ins that add even more security risks.
But unauthorized recording of video and audio is certainly a problem you can’t ignore. Is it any wonder that even tech-savvy people like Mark Zuckerberg and other famous personalities like former FBI Director James Comey tape up their webcams?