With Google Chrome, there is a possibility that the user may be recording with a microphone and a camera without being noticed

ByDAVID BURILLO

From a security point of view, when the web browser is using a PC microphone or camera, icons are displayed on the screen and notified. However, under the specific circumstances of Google Chrome, the notice is not displayed, and it is in such a state that it can be stolen from the conversation and the state of herself with the camera and the microphone without being noticed when it is abused It is clear that there is.

The new HTML5 video \ audio API has privacy issues on desktop Chrome
https://medium.com/@barzik/the-new-html5-video-audio-api-has-privacy-issues-on-desktop-chrome-5832c99c7659

Chrome Flaw Allows Sites to Secretly Record Audio / Video Without Indication
http://thehackernews.com/2017/05/browser-camera-microphone.html

Using Google ChromeWebRTC protocolWhen doing video chat etc., such red dot icon is displayed on the tab of the window so that it is notified that the camera and the microphone are in use.


This is, of course, to let the user know that "the camera is working now" and it is important for not letting out their own private information. However, Ran Bar-Zik, a developer at the internet company AOL, discovered that this dot icon would not be displayed. Ran Bar-Zik, who thought it would be a major security problem, reported this on Google's Chromium community on April 10, 2017, but in the comment "This is not a security vulnerability It was said that there was a written that.

709952 - Security: Sites client side code can record audio \ video without the tab red dot visual alert. - chromium - Monorail


In the comment field, "If you use WebRTC on mobile terminal as well, notification will not be displayed as well.This red dot is best effort function displayed when there is enough space left in the desktop environment "Although the response that it is not similar to the bug is written," Although it is said, the community is considering ways to improve this situation "is written.

The "environment in which red dots are hidden" currently confirmed is only available when JavaScript is used to open the popup window without displaying the header of the browser window. The following screenshot screen shows its actual appearance, it is understood that despite streaming by WebRTC, the red dot icon indicating that is not displayed in the window that pops up in the foreground.


As a Chromium community, he decided that it was not "a bug" because it was, as it were "spec," but Ran Bar-Zik said that there is a risk of being attacked by malicious websites without the user's knowing , He said that he has made public its own. By accessing the following demo page, you can actually check the situation on your PC as well.

WEB RTC Chrome vulnerability example