Chrome web pages could secretly be recording audio and video

A Chrome bug, reported by an AOL web developer, would allow websites to record a user without alerting them to the action.

How can cybersecurity professionals get better? They need to think like hackers

Google Chrome users beware: Some websites you visit could be secretly recording you without your knowledge. According to a bug filed by AOL web developer Ran Bar-Zik, websites running WebRTC code can record without presenting the graphical red dot in the website tab.

The real issue with the bug, though, is user education. The website will first request permission to record before doing so. However, Bar-Zik argued in a BleepingComputer report, UI fatigue often has users simply clicking Yes on popups to make them go away.

Usually, Chrome presents a red dot on the web page tab to indicate that it is recording. But, with this bug, a JavaScript code runs that begins the recording without any visual indication for the user, the report said.

SEE: Information security incident reporting policy template (Tech Pro Research)

After testing the bug and confirming with colleagues, Bar-Zik filed an official bug report with Google, including a demo that gives an example of the issue. However, Google's initial response seemed to indicate that the company saw it as a very big issue:

This isn't really a security vulnerability - for example, WebRTC on a mobile device shows no indicator at all in the browser. The dot is a best-first effort that only works on desktop when we have chrome UI space available.

That being said, we are looking at ways to improve this situation. I'll put this in our general permissions indicator pool.

Bar-Zik didn't agree with the response, stating in the report that "Real attacks will not be very obvious." Bar-Zik also said that he believes the issue could be weaponized.

Image: iStockphoto/stnazkul

Another Google employee later added the following responses:

I think that this needs to be at least P1. Being able to record audio/video without indicator is problematic in my opinion. On Android we show a OS level notification if something is recording.

A workaround could be to block video/audio permission for popups?

While the issues presented isn't necessarily a nefarious bug, it is a reminder of the importance of understanding website permissions. IT leaders should make sure they have a policy in place that address all website permissions, especially those for WebRTC.

The 3 big takeaways for TechRepublic readers

  1. An AOL web developer recently discovered an issue in Chrome that could allow certain websites to record users without them knowing.
  2. The websites, running WebRTC, will ask permission to record, but users could glance over these permissions when browsing.
  3. The issue isn't a major bug, but it highlights the importance of checking permissions carefully.

Also see