A vulnerability reported to Google on April 10 2017 allows an attacker to record audio or video using Google Chrome without displaying any logs.
Most modern Web browsers support WebRTC (Web Real-Time Communications). One of the benefits of WebRTC is that it supports real-time communication without plugins. It has options for creating audio and video chatting, data sharing p2p, screen sharing and more.
However, there is a disadvantage in WebRTC, as local IP addresses can leak out through web browsers that support WebRTC.
The reported vulnerability affects Google Chrome, but it may affect other browsers. To work, you should visit a site and allow it to use WebRTC. A website that wants to record audio or video hidden without knowing it should create a JavaScript window, without a header, like a pop up or popup window, for example.
Then it can record audio or video without giving Google Chrome any indication that it is happening at the moment. Chrome usually displays the sign-ups on the tab that uses the feature, but because the JavaScript window does not have a header, nothing appears to the end user.
A PoC has been created for the above flaw on the Chromium Bugs website. All you need to do is click in two buttons and allow the website to use WebRTC in your browser. PoC can record audio for 20 seconds and allows you to download the recording to your computer.
One member of the Chromium team confirmed the vulnerability, but did not consider it important.
“It's not really a vulnerability in better safety – for example, WebRTC on a mobile device shows no indication in the browser. The bug only works on desktop when we have Chrome and there is space available in the UI.”
Of course, the technician's explanation doesn't make much sense. Since Android doesn't show the indicator and Google Chrome on the desktop only shows it if there is enough space in the UI, isn't that a security vulnerability? At the very least, it is a matter of protecting our privacy since a potentially eavesdropping operation occurs data unbeknownst to them users.
Google may fix this vulnerability in the future, but until then, the best form of protection is to disable WebRTC, which can be done easily if you do not need it.
The second thing you can do is prevent websites from using WebRTC.
https://bugs.chromium.org/p/chromium/issues/detail?id=709952
