GETTY • GOOGLE
Google Chrome can enable malicious sites to record audio and video behind your back
Google Chrome could enable sites to record audio and video without its users being aware, it has been claimed.
According to AOL developer Ran Bar-Zik, a flaw within the browser enables malicious sites to record audio and video – without giving away that anything nefarious is happening on your computer. Bar-Zik reported the UX flaw to Google, back in April 2017.
However, the California-based technology company confirmed it would look to find ways to "improve the situation" with future releases.
"This isn't really a security vulnerability – for example, WebRTC on a mobile device shows no indicator at all in the browser," a Chromium member replied to the researcher's report.
"The dot is a best-first effort that only works on the desktop when we have chrome UI space available. That being said, we are looking at ways to improve this situation."
Google Chrome – The 11 hidden tricks EVERY Chrome users needs to know Wed, March 15, 2017
Google Chrome is the most popular web browser on the planet. It is easy-to-use, lightning-fast, and has a tonne of hidden tricks and features that you probably do not know about. Here's how to get the most from your web browser.
EXPRESS NEWSPAPERS 1 of 12
Here's how to get the most from your web browser
So, how does the flaw in Google Chrome work?
The Chrome browser relies on Web Real-Time Communications, or WebRTC, protocols to make and receive audio and video calls without the need for additional plugins.
To protect users' privacy, web browsers will check with the user whether a certain website has permission to use WebRTC to access the device's camera and microphone.
Once permission is granted, that site will always be able to access your camera and microphone until you manually revoke WebRTC permissions.
Get Quotes on Home Insurance
It's the reason you don't have to constantly grant Facebook permission to use your camera and microphone each time you login to the website and make a video call.
This is convenient, but could in theory allow previously authorised sites to covertly access your device's camera and microphone.
To prevent this – web browser have a visual indication whenever audio or video is being recorded.
For example, Google Chrome uses a small red dot icon within the tab to alert users whenever audio or video streaming is live.
Chrome provides visual indicators whenever approved sites are accessing audio or video
According to developer Ran Bar-Zik, "This record indication is the last and the most important line of defence."
This works because Google Chrome has not been designed to display a red-dot indication on headless windows.
This enables website developers to "exploit small UX manipulation to activate the MediaRecorder API without alerting the users," Bar-Zik writes.
In order to stay safe, it is possible to simply disable WebRTC.
FACEBOOK • MARK ZUCKERBERG
Facebook CEO Mark Zuckerberg puts tape across his webcam to prevent people spying on him
However those who require the feature should only ever granted permissions to trusted websites – and always look for any other windows spawned by a site that you might not be expecting when using WebRTC features.
Facebook CEO Mark Zuckerberg and former FBI director James Comey have previously admitted they put tape over laptops' webcams to stop this type of attack.
Granted, tape will not stop hackers or governments recording your voice – it will prevent them watching live video feeds.
- Express.co.uk has approached Google for comment on this story