THERE'S A BUG in Google Chrome that reportedly allows websites to record audio and video without providing any visual indicators.
Ran Bar-Zik, a web developer at AOL, discovered the bug and was quick to sound the alarm bells. He claims that while the bug, which he discovered at work while dealing with a website that ran WebRTC code, requires user permission to access audio and video features, the flaw could allow websites to stealthily spy on users.
When audio or video is usually recorded on Chrome, a red dot and circle typically appears on the tab to indicate that the streaming is live. However, Bar-Zik discovered that the code that allows recording doesn't always need to run on the Chrome tab where the permission was granted and found he was able to launch a Chrome pop-up where he could commence recording audio and video without any visual indicator.
Bar-Zik was quick to report the flaw to Google, but the firm ain't all that fussed, and has said it isn't a problem.
"This isn't really a security vulnerability - for example, WebRTC on a mobile device shows no indicator at all in the browser," a Google spokesperson said. "The dot is a best-first effort that only works on desktop when we have chrome UI space available. That being said, we are looking at ways to improve this situation."
Bar-Zik disagrees, though, and in an interview with Bleeping Computer argued that many people are affected by UI fatigue and tend to click on many permissions without reading what they agreed to.
He added that once a user has granted permissions to a website, hackers could potentially launch more sophisticated attacks and could potentially open up a surveillance channel on the victim's PC.
"Real attacks will not be very obvious," Bar-Zik said. µ
Welcome to the dystopia Black Mirror warned us about
Microsoft in 'more helpful' shock
A whole new way to be tied to your ISP
Search giant puts Epyc chips at the heart of its datacentre servers