Google Chrome Bug Lets Sites Record Audio and Video Without a Visual Indicator

New submitter aafrn writes: "Ran Bar-Zik, a web developer at AOL, has discovered and reported a bug in Google Chrome that allows websites to record audio and video without showing a visual indicator," reports BleepingComputer. "The bug is not as bad as it sounds, as the malicious website still needs to get the user's permission to access audio and video components, but there are various ways in which this issue could be weaponized to record audio or video without the user's knowledge. The bug's central element is a 'red circle and dot' icon that Chrome usually shows when recording audio or video streams." Bar-Zik discovered that if the JavaScript code that does the actual audio and video recording is launched inside a small popup, the icon is not shown anymore. This opens the door for various types of scenarios, where an attacker that has tricked a user into granting him permission to record audio and video records user data but when the user doesn't expect this (no visual indicator). For example, an attacker could disguise audio/video recording code inside popup ads. If the user doesn't close the popup, the popup continues to stream audio and video from the victim's house. Google declined to consider this a security bug.

A bug.. or is it?

"Google declined to consider this a security bug."

For companies like Google, this is a feature, not a bug.

Re:A bug.. or is it?

[TWX]

Makes me wonder if they got one of those national security letters warning them against fixing the vulnerability that allows this to happen.

Re:A bug.. or is it?

[Namarrgon]

Because the user still has to explicitly grant permission for mic/camera access first. There is no unauthorized recording, so no security breach.

The issue is that Chrome's red-dot recording indicator UI can get hidden. This isn't ideal of course, but isn't unique either - there are many cases where this might not show, such as in fullscreen mode or in mobile browsers.

Re:A bug.. or is it?

[Namarrgon]

If you don't trust Google to not abuse the ability to record you, why did you give it explicit permission in the first place (or even install Chrome)?

If you think showing a small red dot somewhere on the screen counts as "security", then I assume you also never take your eyes off the screen, or leave a website open when your back is turned, or cover up the browser with another window, or let your screen go blank, or have enough tabs that there's no room to display the indicator, or use fullscreen mode, etc etc.

That said, I agree there is room for improvement. Firefox shows a fingernail-sized window that remains visible in a couple of these cases - hardly enough to be considered "security" but still a little better for awareness. Chrome could do the same.

Re:the real bug

[viperidaenz]

Google/Phone manufacturer already has access to the camera on your phone.
Who do you think makes the Camera app? That's an app you're pretty much guaranteed to require the Camera and Audio permissions and it pre-installed. It's probably also got location permissions as well for geo-tagging.
If they wanted to spy on you, that's the easiest way to do it.

I agree, it's a non-issue

[viperidaenz]

It's only impacting Chrome on a PC, not Android.
Most cameras on PC's have an activity LED that's going to show up when it's active. This offers no way to bypass that LED.
The "red dot" has always been a "best efforts" indicator, since it's not visible to a user if they have too many tabs open or the browser is running in full-screen mode, same with the "audio playing" indicator.

The popup that is recording video still has the camera icon in its address bar.
The permission popup is non-modal so doesn't stop you accessing the page, lowering the risk of "UI fatigue" induced accepting. It's got no hot-key bound to "Accept". Escape will block the permission.

You could argue full-screen mode is an even worse security bug, since it hides the whole address bar, including HTTPS issues. All you have to do is trick the user into pressing F11. No broken HTTPS icon, no recording icon, no audio playing icon, no URL is shown.

Re:I agree, it's a non-issue

[WaffleMonster]

It's only impacting Chrome on a PC, not Android.

So only hundreds of millions of users. No biggie.

Most cameras on PC's have an activity LED that's going to show up when it's active. This offers no way to bypass that LED.

Who besides yourself is talking about Google chrome cracking camera drivers or firmware to disable LEDs? Where are the Microphone LEDs? Keeping in mind microphones have been successfully exploited as proxies for key loggers.

The "red dot" has always been a "best efforts" indicator, since it's not visible to a user if they have too many tabs open

LOL "It's broke anyway"

The permission popup is non-modal so doesn't stop you accessing the page, lowering the risk of "UI fatigue" induced accepting. It's got no hot-key bound to "Accept". Escape will block the permission.

The page knows you blocked or didn't yet accept the permission and is free to do whatever it pleases with that knowledge. The only possible user friendly option is to LIE to the application.

You could argue full-screen mode is an even worse security bug, since it hides the whole address bar, including HTTPS issues.

"It's broke anyway" v.bis

All you have to do is trick the user into pressing F11. No broken HTTPS icon, no recording icon, no audio playing icon, no URL is shown.

x3