When NSA contractor the famous(‘infamous’, ‘the hero’) Edward Snowden revealed that the US government is watching us through the yahoo web chat in a project called, ‘Optic Nerve’, we got really scared. A Developer from AOL, Mr.Ran Bar Zik has reported the similar situation Now. He insists we could get spied, watched without our knowledge through a UX design flaw in google chrome. If any hacker with malicious intention exploit this flaw, yes. it is possible. User will be not aware that they are being spied.
How it Works
Presently the modern web browsers like google chrome and mozilla firefox uses a collection of protocols called, webRTC(Web real time communication) protocol for real time audio video communication. Web browsers doesn’t need a plugin if they are using webRTC.
To protect from unauthorized audio and streaming using this webRTC, browser requests the users to allow particular websites to use webRTC and then to access devices camera and microphone. The main and exploitable danger part of this is once granted, the website will have access until you manually cancel these webRTC permissions. So, the web browser alerts the user with and indication,mostly in the window header, whenever there is audio and video are being recorded. The only indication in google chrome too lies on the window header.
The danger part is, if any websites with malicious intention popups with headless windows, it can record audio and video secretly.
The developer Ran Bar Zik also provided a demo website that demonstrates the situation. you too can check it with google chrome. just clicking on those 2 buttons are needed. don’t worry it is nothing to worry, it is safe.
The more interesting thing is when Mr. Ran Zik the flaw to google on April 10, 2017, they rejected it as a flaw. through their words,
“This isn’t really a security vulnerability – for example, WebRTC on a mobile device shows no indicator at all in the browser,” a Chromium member replied to the researcher’s report. ”
Currently the flaw is reported to be affected in google chrome only. but off course it may other web browsers.
- Disable webRTC if you really don’t need it.
- If you require this on some sites, allow only trusted ones.
- The funny but only safest solution is what Facebook CEO showed us,Tap the camera from our devices