Chrome bug that lets sites secretly record you ‘not a flaw’, insists Google

By | June 17, 2017

Source: Sophos-Naked Security

QualTech cloud based network monitoring | QualTech360SecureRemember last year’s Google Chrome bug that gave pirates a way to steal streaming movies?

Well, we’re ready for our closeup, Mr DeMille! This time, we’re potentially the stars of hackers’ movies: there’s a Google Chrome “bug” (depending on who you ask) that allows sites to surreptitiously record audio and visual, all without an indicator light.

As BleepingComputer reports, AOL web developer Ran Bar-Zik discovered the issue – which Google says is not a security vulnerability – while at work, when he was dealing with a website that ran WebRTC code.

QualTech Endpoint Security and Monitoring with Sophos | QualTech360Secure

QualTech Endpoint Security Services

WebRTC is a protocol for streaming audio and video content over the internet in real time via peer-to-peer connections.

On the “this is not a security bug” side of the coin, a user first has to grant a site permission before it can access audio and video. After a site receives permission to stream audio and visual, it can run JavaScript code that records audio or video content before it sends the content to other participants of an WebRTC stream, as Bar-Zik’s bug report explains.

The thing is, the JavaScript doesn’t have to run in the same tab as where the permission was granted. It can record on a separate tab that doesn’t display the graphical red dot that indicates that WebRTC is recording. Thus, after permission is given, the site can listen to the user whenever it – or a hacker – wants to.

Th recording process is done via the JavaScript-based MediaRecorder API, according to BleepingComputer.

For the full article click here.

Keep your business safe with Sophos endpoint security and QualTech’s cloud based monitoring and support services.

#QualTech360Care #QualTech360Secure

Leave a Reply