A vulnerability reported in the Google on April 10, 2017 allows an attacker to record audio or video using Google Chrome without any logging indication being displayed.
Most modern web browsers support the Web Real-Time Communications (WebRTC) feature. One of the advantages of WebRTC is that it supports real-time communication without the use of plugins. It has options to create audio and video chat services, p2p data sharing, sharing screenand many more.
However, there is a disadvantage in WebRTC, as local IP addresses can leak out through web browsers that support WebRTC.
The reported vulnerability affects Google Chrome, but it may affect other browsers. To work, you should visit a site and allow it to use WebRTC. A website that wants to record audio or video hidden without knowing it should create a JavaScript window, without a header, like a pop up or popup window, for example.
Then it can record audio or video without giving Google Chrome any indication that it is happening at the moment. Chrome usually displays the sign-ups on the tab that uses the feature, but because the JavaScript window does not have a header, nothing appears to the end user.
For the above defect, a PoC was created on the Chromium Bugs website. All you need to do is click on two buttons and allow the web page to use WebRTC in your browser. PoC can record the sound for 20 seconds and lets you download the recording to your computer.
One member of the Chromium team confirmed the vulnerability, but did not consider it important.
“It's not really a security vulnerability – for example, WebRTC on a mobile device doesn't show any indication of the Browser. Το bug λειτουργεί μόνο στην επιφάνεια εργασίας όταν διαθέτουμε Chrome και υπάρχει availables space in the UI.”
Of course, the technician's explanation doesn't make much sense. Since Android doesn't show the indicator and Google Chrome on the desktop only shows it if there is enough space in the UI, isn't that a security vulnerability? At the very least, it is a matter of protecting our privacy since a potentially eavesdropping operation occurs data without users knowing.
Google may fix this vulnerability in the future, but until then, the best form of protection is to disable WebRTC, which can be done easily if you do not need it.
The second thing you can do is prevent websites from using WebRTC.
https://bugs.chromium.org/p/chromium/issues/detail?id=709952
