A vulnerability reported to Google on April 10, 2017 allows an attacker to record audio or video using the Google Chrome without displaying a log.
Most modern programs browsing Web υποστηρίζουν το χαρακτηριστικό WebRTC (Web Real-Time Communications). Ένα από τα πλεονεκτήματα του WebRTC είναι ότι υποστηρίζει την επικοινωνία σε πραγματικό χρόνο χωρίς τη χρήση plugins. Διαθέτει επιλογές για τη δημιουργία υπηρεσιών συνομιλίας ήχου και βίντεο, κοινή χρήση δεδομένων p2p, κοινή χρήση οθόνης και πολλά άλλα.
However, there is a disadvantage in WebRTC, as local IP addresses can leak out through web browsers that support WebRTC.
The reported vulnerability affects Google Chrome, but it may affect other browsers. To work, you should visit a site and allow it to use WebRTC. A website that wants to record audio or video hidden without knowing it should create a JavaScript window, without a header, like a pop up or popup window, for example.
It can then record audio or video, without giving any indication to Google Chrome that it is happening at that particular moment. Chrome usually displays the indications enrollmentς στην καρτέλα που χρησιμοποιεί τη λειτουργία, αλλά επειδή το παράθυρο του JavaScript δεν διαθέτει header, δεν εμφανίζεται τίποτα στον τελικό χρήστη.
A PoC has been created for the above flaw on the Chromium Bugs website. All you need to do is click in two buttons and allow the website to use WebRTC in your browser. PoC can record audio for 20 seconds and allows you to download the recording to your computer.
One member of the Chromium team confirmed the vulnerability, but did not consider it important.
"It's not really a security vulnerability - for example, WebRTC on a mobile device does not show any indication in the browser. The bug only works on the desktop when we have Chrome and there is space available in the UI. ”
Of course, the technician's explanation doesn't make much sense. Since Android doesn't show the indicator and Google Chrome on the desktop only shows it if there is enough space in the UI, isn't that a security vulnerability? At the very least, it's a privacy issue since there's a feature that can intercept data without people's knowledge. users.
Google may fix this vulnerability in the future, but until then, the best form of protection is to disable WebRTC, which can be done easily if you do not need it.
The second thing you can do is prevent websites from using WebRTC.
https://bugs.chromium.org/p/chromium/issues/detail?id=709952