Ran Bar-Zik reveals in a post on Medium that developers can exploit a UX element to activate the MediaRecorder API without expressly alerting the user via the red-dot indicator in the tab where the service is running.
“After getting the audiovideo usage permissions for WebRTC. JS code can record videoaudio without showing the graphical red dot in the tab when the record process is running. i.e. – after the permission is given the site can listen to the user whenever he want [sic] to,” reads Ran Bar-Zik’s description of the flaw on Chromium. “It is done because JS `window.open` method does not give visual indication on record init,” he adds.
To prove his claim, the developer created a proof-of-concept by rigging up a site to behave as described. After gaining general access from the user, the site opens a headless window and activates the MediaRecorder from it. Since Chrome doesn’t display the red dot in headless windows, the user can’t see that the site is recording. Even mobile versions of Chrome are apparently vulnerable, but not to the same degree.
Ran Bar-Zik imagines that a real attack leveraging this flaw would not be obvious. Those trying to exploit it will likely use a very small pop-under that disappears when the user focuses on it.
“It can use the camera for millisecond to get your picture. It can (In theory) use XSS to ride on legitimate sites and their permissions. The sky is the limit here,” he says.
As for Google, the Internet giant appreciates the report but doesn’t quite feel it’s a security vulnerability per-se, offering up the following explanation:
“Thanks for the report. This isn’t really a security vulnerability – for example, WebRTC on a mobile device shows no indicator at all in the browser. The dot is a best-first effort that only works on desktop when we have chrome UI space available.”
At best, the Chromium guys promise they are “looking at ways to improve this situation.”
Bitdefender 2018, available as a public beta, offers webcam protection, blocking unwanted intrusions through webcam access. These attacks are usually carried out for extortion or spying. Users who regularly enjoy the benefits of WebRTC should only allow trusted sites to use the feature.