New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 709952 link

Starred by 20 users
Status: Available
Owner: ----
Cc:
niklase@chromium.org
msramek@chromium.org
juberti@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 2
Type: Bug

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Security: Sites client side code can record audio\video without the tab red dot visual alert.

Reported by bar...@gmail.com, Apr 10 2017 
VULNERABILITY DETAILS
After getting the audio\video usage permissions for WebRTC. JS code can record video\audio without showing the graphical red dot in the tab when the record process is running. i.e. - after the permission is given the site can listen to the user whenever he want to. 
It is done because JS `window.open` method does not give visual indication on record init. 

VERSION
Chrome Version:  57.0.2987 + Stable
Operating System: Windows 10 Home 64 bit. version 1607 Build 14393,953

REPRODUCTION CASE
1. Site request the web-rtc permission.
2. Site manipulate user to open JS window without header (pop up\pop under).
3. The code in the JS window can record video or audio anytime without red dot visual alert.
POC can be found here:
https://internet-israel.com/internet_files/webrtc/index.html
1. Click on the first button.
2. Click on the second button.
3. Look at the record process in the popup (it will stop after 20 seconds and you will be able to download the sound file). Notice that no red icon is available in the parent page.
I've attached the POC code to this message.
webrtc_vol.zip
6.0 KB Download

Comment 1 by dominickn@chromium.org, Apr 10 2017

Components: UI>Browser>Permissions>Indicators
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Team-Security-UX OS-Chrome OS-Linux OS-Mac OS-Windows Type-Bug
Status: Available (was: Unconfirmed)
Thanks for the report.

This isn't really a security vulnerability - for example, WebRTC on a mobile device shows no indicator at all in the browser. The dot is a best-first effort that only works on desktop when we have chrome UI space available.

That being said, we are looking at ways to improve this situation. I'll put this in our general permissions indicator pool.

Comment 2 by dullweber@chromium.org, Apr 11 2017

Components: Privacy

Comment 3 by mea...@chromium.org, Apr 26 2017

Labels: Pri-2
Assigning P2.

Comment 4 by juberti@chromium.org, May 30 2017

Cc: juberti@chromium.org

Comment 5 by battre@chromium.org, May 31 2017

Cc: msramek@chromium.org
Labels: -Pri-2 Pri-1
I think that this needs to be at least P1. Being able to record audio/video without indicator is problematic in my opinion. On Android we show a OS level notification if something is recording.

A workaround could be to block video/audio permission for popups?

Comment 6 by niklase@chromium.org, May 31 2017

Cc: niklase@chromium.org

Comment 7 by emilyschechter@chromium.org, Jun 1 2017

Labels: -Pri-1 Pri-2
We're aware of this issue and we're actively looking at solutions. Please note:
* Mic and camera access occurs only after you explicitly grant permission to that site.
* The *popup* address bar does contain an indicator if the site is recording mic or camera (gray camera icon, see attached). It is not true that a website can record without any indicator (--> setting priority back to P2)
* Chrome goes above and beyond by showing these indicators; other browsers still support plugins which access camera/mic in ways that aren't clear to users, or that even the browser can't detect
* More details about granting or removing website permissions are here: https://support.google.com/chrome/answer/6148059.
CameraIcon.tiff
75.5 KB Download

Comment 8 by emilyschechter@chromium.org, Jun 1 2017

Labels: Restrict-AddIssueComment-EditIssue

Comment 9 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 10 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Sign in to add a comment