When you’re on a webpage that’s using your camera or microphone, Chrome adds a red dot to the title of the tab. Situated just to the left of the close button, this dot lets you know that the tab is actively uploading your voice and video data. It’s meant to let you identify sites that have gained access to your hardware without your permission.
Bleeping Computer reports that AOL web developer Ran Bar-Zik has discovered a way that lets websites avoid displaying this indicator. According to Bar-Zik, the code that’s actually using the camera or mic doesn’t need to run on the tab where permission was granted to use the hardware.
In other words, a malicious site could trick the user into granting permission and then open a new tab to complete the recording. The new tab wouldn’t show the red dot so the attackers could collect audio and video over a prolonged period of time without alerting the computer owner. In a perfect situation, this could occur for hours if the tab was disguised and the user didn’t notice its presence.
In a proof of concept attack created by the developer, the original webpage obtains permission from the user to access the webcam and microphone. It then opens a popup window containing a button to record audio. When you click the button, 20 seconds of audio is recorded from your device, even though permission hasn’t been granted to the window. The red recording dot is not displayed.
Although the bug is relatively minor, Bar-Zik warned it’s still a viable attack vector that could be effective against less technically savvy users. However, Google said the issue “isn’t really a security vulnerability,” pointing out that other implementations of the technology – such as the Chrome mobile app – don’t display a dot at all. It said it is “looking at ways” of improving on the indicator though.
“This isn’t really a security vulnerability – for example, WebRTC on a mobile device shows no indicator at all in the browser,” Google said in response to the bug filing. “The dot is a best-first effort that only works on desktop when we have chrome UI space available. That being said, we are looking at ways to improve this situation.”
Bar-Zik suggested the proof of concept could easily be weaponised to have a more severe impact on the user. He said that any real world exploitation of the issue would not be obvious. An attacker could open very small popups or periodically flash a window open to check if a target user is speaking.
One way of disguising the popup could be to display an advert, making it look like the kind of alert many website users will already be familiar with. This could be a good way to distribute the attack as some users may not immediately close the ad. While the immediate implications aren’t too serious, there are opportunities for attackers to invade on privacy using the method.