Bar-Zik told Bleeping Computer that he discovered this error while working with a website running WebRTC code. WebRTC is a protocol for streaming audio and video over the Internet in real time. To do so, users must give access to component audio and video for that website.
Upon receiving access, the website will run JavaScript code to record audio and images before posting to the Internet for other WebRTC participants. This recording process is done through MediaRecorder API based on JavaScript.
Bar-Zik discovered that this code recorded without having to run on the browser card that it received access to. Because access to audio and video data was given to the entire domain, the Israeli developer realized that he could open a popup window on Chrome and run the code for recording and recording.
Window popup when recording, recording
Chrome displays the icon on the browser tab, not the popup window because this window has no tab bar.
Bar-Zik told Bleeping Computer that after verifying the problem, he reported the error to Google. The report comes with a demo that requires users to grant access, open a popup window when they click and record 20 seconds, then provide a link to download the recorded file. Interested readers can download the code to prove this error here.
In the response Bar-Zik received, Google refused to consider it a security error.
This is not really a security hole. WebRTC, for example, on mobile devices doesn't have a browser indicator either. That icon is an optimal priority effort that can only work on computers when the Chrome interface space can be met. We have sought to improve the situation.
Bar Zik disagrees with Google's review. Researchers believe that many people tend to click on requests that require access without even reading through. Once unintentionally or deliberately empowering a website to access audio and video components, more complex attacks can occur.
For example, Bar-Zik thinks an attacker can use a small popup window to open the attack code. This code uses a camera to take pictures of users, recordings or sounds nearby. If they do not pay attention to this window, they will not know because there is no indication of recording or recording. Another scenario is that users can think of this popup window as an advertisement. If not turned off immediately, the attacker can monitor the user's computer.
Bar-Zik also said that an attacker doesn't need to create a website to ask for access. He can exploit XSS script (Cross-site scripting), insert malicious code on websites that have already received access. These vulnerabilities will bring the attack code into the computer.
Because this is not considered a security issue, Chrome does not receive emergency recovery. However, Google is not wrong to consider this a security issue because this red circle icon is not available on all Chrome versions. Users who want to be safe from these attacks should pay attention to the access they give to the website.