Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 15 users
Status: Available
Owner: ----
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux, Windows, Chrome, Mac
Pri: 2
Type: Bug

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Security: Sites client side code can record audio\video without the tab red dot visual alert.
Reported by bar...@gmail.com, Apr 10 Back to list
VULNERABILITY DETAILS
After getting the audio\video usage permissions for WebRTC. JS code can record video\audio without showing the graphical red dot in the tab when the record process is running. i.e. - after the permission is given the site can listen to the user whenever he want to. 
It is done because JS `window.open` method does not give visual indication on record init. 

VERSION
Chrome Version:  57.0.2987 + Stable
Operating System: Windows 10 Home 64 bit. version 1607 Build 14393,953

REPRODUCTION CASE
1. Site request the web-rtc permission.
2. Site manipulate user to open JS window without header (pop up\pop under).
3. The code in the JS window can record video or audio anytime without red dot visual alert.
POC can be found here:
https://internet-israel.com/internet_files/webrtc/index.html
1. Click on the first button.
2. Click on the second button.
3. Look at the record process in the popup (it will stop after 20 seconds and you will be able to download the sound file). Notice that no red icon is available in the parent page.
I've attached the POC code to this message.



 
webrtc_vol.zip
6.0 KB Download
Components: UI>Browser>Permissions>Indicators
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Team-Security-UX OS-Chrome OS-Linux OS-Mac OS-Windows Type-Bug
Status: Available
Thanks for the report.

This isn't really a security vulnerability - for example, WebRTC on a mobile device shows no indicator at all in the browser. The dot is a best-first effort that only works on desktop when we have chrome UI space available.

That being said, we are looking at ways to improve this situation. I'll put this in our general permissions indicator pool.
Components: Privacy
Labels: Pri-2
Assigning P2.
Cc: juberti@chromium.org
Cc: msramek@chromium.org
Labels: -Pri-2 Pri-1
I think that this needs to be at least P1. Being able to record audio/video without indicator is problematic in my opinion. On Android we show a OS level notification if something is recording.

A workaround could be to block video/audio permission for popups?
Cc: niklase@chromium.org
Labels: -Pri-1 Pri-2
We're aware of this issue and we're actively looking at solutions. Please note:
* Mic and camera access occurs only after you explicitly grant permission to that site.
* The *popup* address bar does contain an indicator if the site is recording mic or camera (gray camera icon, see attached). It is not true that a website can record without any indicator (--> setting priority back to P2)
* Chrome goes above and beyond by showing these indicators; other browsers still support plugins which access camera/mic in ways that aren't clear to users, or that even the browser can't detect
* More details about granting or removing website permissions are here: https://support.google.com/chrome/answer/6148059.
CameraIcon.tiff
75.5 KB Download
Labels: Restrict-AddIssueComment-EditIssue
Sign in to add a comment