Chrome bug that lets sites secretly record you ‘not a flaw’, insists Google

Remember last year’s Google Chrome bug that gave pirates a way to steal streaming movies?

Well, we’re ready for our closeup, Mr DeMille! This time, we’re potentially the stars of hackers’ movies: there’s a Google Chrome “bug” (depending on who you ask) that allows sites to surreptitiously record audio and visual, all without an indicator light.

As BleepingComputer reports, AOL web developer Ran Bar-Zik discovered the issue – which Google says is not a security vulnerability – while at work, when he was dealing with a website that ran WebRTC code.

WebRTC is a protocol for streaming audio and video content over the internet in real time via peer-to-peer connections.

On the “this is not a security bug” side of the coin, a user first has to grant a site permission before it can access audio and video. After a site receives permission to stream audio and visual, it can run JavaScript code that records audio or video content before it sends the content to other participants of an WebRTC stream, as Bar-Zik’s bug report explains.

The thing is, the JavaScript doesn’t have to run in the same tab as where the permission was granted. It can record on a separate tab that doesn’t display the graphical red dot that indicates that WebRTC is recording. Thus, after permission is given, the site can listen to the user whenever it – or a hacker – wants to.

Th recording process is done via the JavaScript-based MediaRecorder API, according to BleepingComputer.

Bar-Zik reported the issue and heard back from Google on the same day. Its argument was that the red circle and dot recording icon aren’t present in all versions of Chrome, so the real way to defend against an attack would be in the permissions popup. Google’s take on it:

This isn’t really a security vulnerability – for example, WebRTC on a mobile device shows no indicator at all in the browser. The dot is a best-first effort that only works on desktop when we have chrome UI space available. That being said, we are looking at ways to improve this situation.

Bar-Zik doesn’t buy it. He says that it would be pretty easy to trick a victim who’s suffering from “I’m not reading another pop-up, I’ll just click OK” permissions fatigue.

“Real-world attacks aren’t going to be very obvious,” he told BleepingComputer. From the writeup:

For example, Bar-Zik argues that an attacker could use very small popups to launch the attack code. This code can use the camera for a millisecond to take a user’s picture, or for hours, recording the user’s movements or nearby audio.

If the user doesn’t notice the popup in his toolbar, there’s no visual indicator to cue him that someone is accessing his audio and video components. One of the sneakiest scenarios would be if the attacker disguised the popup as a mundane ad. If the user doesn’t immediately close the ad’s popup, an attacker remains with an surveillance channel opened on the user’s PC.

An attacker wouldn’t even have to create a website to steal the recording permission, he said. Rather, they could exploit a cross-site scripting (XSS) flaw – also known as one of the web attacks that refuse to die – on legitimate websites that have already been granted audio and video access.

Bug? Not bug? You can decide for yourself: Bar-Zik has put up a harmless demo that asks you for permission, launches a popup when you click OK, records 20 seconds of audio, and provides a download link for the recorded file.

The proof-of-concept code is also available for download here.