A vulnerability reported to Google on April 10 2017 allows an attacker to record audio or video using Google Chrome without displaying any logs.
Most modern Web browsers support WebRTC (Web Real-Time Communications). One of the benefits of WebRTC is that it supports real-time communication without plugins. It has options for creating audio and video chatting, data sharing p2p, screen sharing and more.
However, there is a disadvantage in WebRTC, as local IP addresses can leak out through web browsers that support WebRTC.
The reported vulnerability affects Google Chrome, but it may affect other browsers. To work, you should visit a site and allow it to use WebRTC. A website that wants to record audio or video hidden without knowing it should create a JavaScript window, without a header, like a pop up or popup window, for example.
Then it can record audio or video without giving Google Chrome any indication that it is happening at the moment. Chrome usually displays the sign-ups on the tab that uses the feature, but because the JavaScript window does not have a header, nothing appears to the end user.
For the above defect, a PoC was created on the Chromium Bugs website. All you need to do is click on two buttons and allow the web page to use WebRTC in your browser. PoC can record the sound for 20 seconds and lets you download the recording to your computer.
One member of the Chromium team confirmed the vulnerability, but did not consider it important.
"It's not really a security vulnerability - for example, WebRTC on a mobile device does not show any indication in the browser. The bug only works on the desktop when we have Chrome and there is space available in the UI. ”
The explanation of the technician certainly does not make much sense. Because Android does not display the clue and Google Chrome on the desktop only displays it if there is enough space in the UI, is it not a security vulnerability? At the very least, it is a matter of protecting our privacy as it is a function that can intercept data without the users knowing it.
Google may fix this vulnerability in the future, but until then, the best form of protection is to disable WebRTC, which can be done easily if you do not need it.
The second thing you can do is prevent websites from using WebRTC.
https://bugs.chromium.org/p/chromium/issues/detail?id=709952