Google Chrome Bug Lets Sites Record Audio and Video Without a Visual Indicator (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Google Chrome Bug Lets Sites Record Audio and Video Without a Visual Indicator (bleepingcomputer.com)

Posted by BeauHD on Tuesday May 30, 2017 @11:20AM from the visual-learning dept.

New submitter aafrn writes: "Ran Bar-Zik, a web developer at AOL, has discovered and reported a bug in Google Chrome that allows websites to record audio and video without showing a visual indicator," reports BleepingComputer. "The bug is not as bad as it sounds, as the malicious website still needs to get the user's permission to access audio and video components, but there are various ways in which this issue could be weaponized to record audio or video without the user's knowledge. The bug's central element is a 'red circle and dot' icon that Chrome usually shows when recording audio or video streams." Bar-Zik discovered that if the JavaScript code that does the actual audio and video recording is launched inside a small popup, the icon is not shown anymore. This opens the door for various types of scenarios, where an attacker that has tricked a user into granting him permission to record audio and video records user data but when the user doesn't expect this (no visual indicator). For example, an attacker could disguise audio/video recording code inside popup ads. If the user doesn't close the popup, the popup continues to stream audio and video from the victim's house. Google declined to consider this a security bug.

36 comments

Min score:

Reason:

Sort:

A bug.. or is it? by Anonymous Coward · 2017-05-30 11:23 · Score: 5, Insightful

"Google declined to consider this a security bug."
For companies like Google, this is a feature, not a bug.
1. Re:A bug.. or is it? by TWX · 2017-05-30 11:27 · Score: 3, Insightful
  
  Makes me wonder if they got one of those national security letters warning them against fixing the vulnerability that allows this to happen.
  
  --
  Do not look into laser with remaining eye.
2. Re:A bug.. or is it? by Namarrgon · 2017-05-30 11:59 · Score: 4, Interesting
  
  Because the user still has to explicitly grant permission for mic/camera access first. There is no unauthorized recording, so no security breach.
  The issue is that Chrome's red-dot recording indicator UI can get hidden. This isn't ideal of course, but isn't unique either - there are many cases where this might not show, such as in fullscreen mode or in mobile browsers.
  
  --
  Why would anyone engrave "Elbereth"?
3. Re:A bug.. or is it? by Anonymous Coward · 2017-05-30 13:41 · Score: 0, Insightful
  
  Hey dipshit,
  Google recording something on a google site using google chrome (which I've allowed) but without making me aware of it (which I don't consent to) is a security bug. Shut the fuck up with your "Because the user has still explicitly " because you've given a stupid excuse for this bad behavior.
4. Re:A bug.. or is it? by Anonymous Coward · 2017-05-30 14:09 · Score: 0
  
  OK, so say you want to let site x access mic/camera because reasons. Site x doesn't do that directly - why would they want to deal with the complexity or the load on their system? - so they contact a third party who asks for permission. You (blindly) hit allow, assuming it's for site x: now a third party has access to your mic/cam.
  So you trust company x, obviously, but do you trust them to fully vet the third party and not just go with the lowest bidder? Do you trust the third party to only contract to reputable organisations?
5. Re:A bug.. or is it? by Namarrgon · 2017-05-30 14:45 · Score: 2
  
  If you don't trust Google to not abuse the ability to record you, why did you give it explicit permission in the first place (or even install Chrome)?
  If you think showing a small red dot somewhere on the screen counts as "security", then I assume you also never take your eyes off the screen, or leave a website open when your back is turned, or cover up the browser with another window, or let your screen go blank, or have enough tabs that there's no room to display the indicator, or use fullscreen mode, etc etc.
  That said, I agree there is room for improvement. Firefox shows a fingernail-sized window that remains visible in a couple of these cases - hardly enough to be considered "security" but still a little better for awareness. Chrome could do the same.
  
  --
  Why would anyone engrave "Elbereth"?
6. Re:A bug.. or is it? by viperidaenz · 2017-05-30 15:07 · Score: 1
  
  I haven't tested it but the draft covering this API says the browser should require a permission that covers both origins, so you'd need to grant permission for the combination of site x + 3rd party
  That's need in the draft since December 2015
  If that's not how it works in Chrome, then it's a bug
7. Re:A bug.. or is it? by WaffleMonster · 2017-05-30 15:22 · Score: 1
  
  Because the user still has to explicitly grant permission for mic/camera access first. There is no unauthorized recording, so no security breach.
  Perpetual grant from a domain that need not match domain of site user is actually visiting.
8. Re:A bug.. or is it? by Anonymous Coward · 2017-05-30 15:45 · Score: 1
  
  Makes me wonder if they got one of those national security letters warning them against fixing the vulnerability that allows this to happen.
  No, but only because they previously already got one directing them to create it, and many others, in the first place. It's Googles entire purpose for existence.
9. Re:A bug.. or is it? by Namarrgon · 2017-05-30 16:49 · Score: 1
  
  If it's the case that permission for one domain allows recording by a different domain, that's an entirely different issue, and much more serious for security.
  
  --
  Why would anyone engrave "Elbereth"?
10. Re: A bug.. or is it? by Reverend+Green · 2017-05-30 17:56 · Score: 1
  
  Google is always watching.
11. Re:A bug.. or is it? by someone1234 · 2017-05-30 20:40 · Score: 1
  
  Still better than file://c:/$mft/123
  
  --
  Patents Drive Free Software as Hurricanes Drive Construction Industry
the real bug by Anonymous Coward · 2017-05-30 11:32 · Score: 0

The real bug is that someone gave Chrome access to the camera and microphone in the first place.
Google should be on the default blacklist for Windows and Android for "do not even let the app ask the user for permission; it's denied unless the user actively seeks out the permission and grants it after getting a 'only a stupid person would give Google access to their camera or microphone' warning followed by 'are you really sure you want to let Google spy on you 24/7?'."
1. Re:the real bug by viperidaenz · 2017-05-30 11:46 · Score: 3, Insightful
  
  Google/Phone manufacturer already has access to the camera on your phone.
  Who do you think makes the Camera app? That's an app you're pretty much guaranteed to require the Camera and Audio permissions and it pre-installed. It's probably also got location permissions as well for geo-tagging.
  If they wanted to spy on you, that's the easiest way to do it.
2. Re:the real bug by Anonymous Coward · 2017-05-30 16:06 · Score: 0
  
  I bought a Huawei Android phone shipped direct from China. On this phone Google apps have to ask permission to access pretty much everything. There is a checkbox "remember and don't ask again". Also the power consumption watchdog offers to shit-can background Google apps as soon as I stop using them. I have never had this level of control over Google apps on US-branded phones... Also, the government of China secretly watches my every move :)
3. Re:the real bug by crtreece · 2017-05-31 02:44 · Score: 1
  
  Is your phone running 7.x? I have a new phone that I loaded LineageOS 14.1 (currently based on Android 7.1.2) on, and it's got the per-app permission controls that are incorporated directly into android now. Previously you had to load something like XPrivacy to get that level of permission selection.
  
  --
  file: .signature not found
Re:That's not a bug. by Anonymous Coward · 2017-05-30 11:37 · Score: 0

Jewish Google? I think you mean Hindu Google.
Ran... by Anonymous Coward · 2017-05-30 11:43 · Score: 0

And he Raaaaan, so far awaa-aaa-aaaaa,
And he Raaaaann to google right awaaa-aaa-aaa,
But they turned him away.
Come on, Flock of Seagulls , anyone? Beuller?
And Since Google Has Its Tentacles In 99% Of Sites by Anonymous Coward · 2017-05-30 11:48 · Score: 0

Google is recording YOU! Above what it already does! Yes, you SHOULD care!
Taste of their own medicine by Anonymous Coward · 2017-05-30 11:52 · Score: 0

Google being testy when someone else does what they do to them. Since Google stated this isn't a security flaw, there's no reason for AOL to withhold the bug until the fix.
1. Re:Taste of their own medicine by viperidaenz · 2017-05-30 14:15 · Score: 1
  
  What is there to withhold?
  It's simply recording video in a popup after the user has explicitly granted the domain video permissions.
  It's not a bug.
I agree, it's a non-issue by viperidaenz · 2017-05-30 12:01 · Score: 5, Insightful

It's only impacting Chrome on a PC, not Android.
Most cameras on PC's have an activity LED that's going to show up when it's active. This offers no way to bypass that LED.
The "red dot" has always been a "best efforts" indicator, since it's not visible to a user if they have too many tabs open or the browser is running in full-screen mode, same with the "audio playing" indicator.
The popup that is recording video still has the camera icon in its address bar.
The permission popup is non-modal so doesn't stop you accessing the page, lowering the risk of "UI fatigue" induced accepting. It's got no hot-key bound to "Accept". Escape will block the permission.
You could argue full-screen mode is an even worse security bug, since it hides the whole address bar, including HTTPS issues. All you have to do is trick the user into pressing F11. No broken HTTPS icon, no recording icon, no audio playing icon, no URL is shown.
1. Re:I agree, it's a non-issue by WaffleMonster · 2017-05-30 14:57 · Score: 2
  
  It's only impacting Chrome on a PC, not Android.
  So only hundreds of millions of users. No biggie.
  
  Most cameras on PC's have an activity LED that's going to show up when it's active. This offers no way to bypass that LED.
  Who besides yourself is talking about Google chrome cracking camera drivers or firmware to disable LEDs? Where are the Microphone LEDs? Keeping in mind microphones have been successfully exploited as proxies for key loggers.
  
  The "red dot" has always been a "best efforts" indicator, since it's not visible to a user if they have too many tabs open
  LOL "It's broke anyway"
  
  The permission popup is non-modal so doesn't stop you accessing the page, lowering the risk of "UI fatigue" induced accepting. It's got no hot-key bound to "Accept". Escape will block the permission.
  The page knows you blocked or didn't yet accept the permission and is free to do whatever it pleases with that knowledge. The only possible user friendly option is to LIE to the application.
  
  You could argue full-screen mode is an even worse security bug, since it hides the whole address bar, including HTTPS issues.
  "It's broke anyway" v.bis
  
  All you have to do is trick the user into pressing F11. No broken HTTPS icon, no recording icon, no audio playing icon, no URL is shown.
  x3
2. Re:I agree, it's a non-issue by AHuxley · 2017-05-30 15:54 · Score: 1
  
  Some reflection back on "This offers no way to bypass that LED." issue on the Apple side over the years.
  "OverSight: Exposing Spies on macOS"
  https://www.youtube.com/watch?...
  11 mins in for the led cam issues over the years.
  
  --
  Domestic spying is now "Benign Information Gathering"
3. Re:I agree, it's a non-issue by donaldm · 2017-05-30 16:14 · Score: 1
  Hmm! Let's see:
  
  Camra? - No!
  
  Microphone? - No!
  
  Operating System? - No Microsoft OS!
  
  Web browser? - Chrome, Firefox, QupZilla and anything I feel like except IE or Edge.
  
  I can connect a camera and microphone via USB if I really do need to use them (which I don't). I think I am pretty much OK. :-)
  --
  There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
Reason #992 to Ad Block, always. by Anonymous Coward · 2017-05-30 13:22 · Score: 0

Who has a legitimate use for popups other than ads? Especially popups of diminuitive size?
Keep digging your own graves, ad networks. We'll blocker harder and harder until there's either nothing left to exploit, or 'java' script dies the death it truly deserves.
Physical shutter by Anonymous Coward · 2017-05-30 14:13 · Score: 0

Physical shutters on all webcams on laptops
1. Re:Physical shutter by DontBeAMoran · 2017-05-30 14:20 · Score: 1
  
  Rip off the camera and microphone hardware from the computer. It's the only way to be sure.
  ... short of nuking the computer from orbit.
  
  --
  #DeleteFacebook
every time... by Anonymous Coward · 2017-05-30 14:14 · Score: 0

if the JavaScript code that does the actual audio and video recording is launched inside a small popup,
I can't even recall the last time one of these vulnerabilities came by that was NOT enabled in some manner by javascript.
Anyone still running Javascript by default at this point is more or less asking for what they get. The attack surface is simply too huge to secure. We've seen problem after problem after problem since the dawn of the JS era.
Disable that shit by default, people, or stop griping about what you allow someone else to do with your computer.
1. Re:every time... by Anonymous Coward · 2017-05-30 15:02 · Score: 0
  
  "Anyone still running Javascript by default at this point is more or less asking for what they get"
  Not allowing JavaScript makes a lot of sites unusable. Prompting the user to enable JavaScript on every page that uses JavaScript is annoying and nobody really wants to be prompted on every single page you access. JavaScript has some security considerations like every other piece of software running today. However it is the developers that incorrectly implement JavaScript that causes most of the problems.
2. Re:every time... by Anonymous Coward · 2017-05-30 16:24 · Score: 0
  
  Not allowing JavaScript makes a lot of sites unusable.
  
  Because you have taught sites that they can depend on Javascript being available... because you enable it by default. It's entirely a self-made problem that never had to exist.
  
  JavaScript has some security considerations
  When it comes to the web, Javascript is THE security problem. All others are a rounding error in comparison.
A popup window? Really? by MobyDisk · 2017-05-30 14:55 · Score: 1

Unsolved mystery since 1995: Why do web browsers support popup windows? It might be the worst idea since the <marquee> tag.
7 mentions of Microsoft and 10 of Windows by najajomo · 2017-05-30 16:13 · Score: 1

That's a record even for the Microsoft slashdot.
Re:A popup window? Really? by Anonymous Coward · 2017-05-30 22:07 · Score: 0

Beats me. I never understood why popup windows were useful in the first place
AOL by spudnic · 2017-05-31 02:49 · Score: 1

AOL has web developers? AOL has employees?

--
load "linux",8,1