Security: Sites client side code can record audio\video without the tab red dot visual alert.
Reported by bar...@gmail.com, Apr 10 2017
VULNERABILITY DETAILS After getting the audio\video usage permissions for WebRTC. JS code can record video\audio without showing the graphical red dot in the tab when the record process is running. i.e. - after the permission is given the site can listen to the user whenever he want to. It is done because JS `window.open` method does not give visual indication on record init. VERSION Chrome Version: 57.0.2987 + Stable Operating System: Windows 10 Home 64 bit. version 1607 Build 14393,953 REPRODUCTION CASE 1. Site request the web-rtc permission. 2. Site manipulate user to open JS window without header (pop up\pop under). 3. The code in the JS window can record video or audio anytime without red dot visual alert. POC can be found here: https://internet-israel.com/internet_files/webrtc/index.html 1. Click on the first button. 2. Click on the second button. 3. Look at the record process in the popup (it will stop after 20 seconds and you will be able to download the sound file). Notice that no red icon is available in the parent page. I've attached the POC code to this message.
Apr 10 2017,
Thanks for the report. This isn't really a security vulnerability - for example, WebRTC on a mobile device shows no indicator at all in the browser. The dot is a best-first effort that only works on desktop when we have chrome UI space available. That being said, we are looking at ways to improve this situation. I'll put this in our general permissions indicator pool.
Apr 11 2017,
Apr 26 2017,
May 30 2017,
May 31 2017,
I think that this needs to be at least P1. Being able to record audio/video without indicator is problematic in my opinion. On Android we show a OS level notification if something is recording. A workaround could be to block video/audio permission for popups?
May 31 2017,
Jun 1 2017,
We're aware of this issue and we're actively looking at solutions. Please note: * Mic and camera access occurs only after you explicitly grant permission to that site. * The *popup* address bar does contain an indicator if the site is recording mic or camera (gray camera icon, see attached). It is not true that a website can record without any indicator (--> setting priority back to P2) * Chrome goes above and beyond by showing these indicators; other browsers still support plugins which access camera/mic in ways that aren't clear to users, or that even the browser can't detect * More details about granting or removing website permissions are here: https://support.google.com/chrome/answer/6148059.
Jun 1 2017,
Nov 10 2017,
Sign in to add a comment